National Vulnerability Database (NVD) National Vulnerability Database (CVE-2011-0419)

National Cyber Awareness System

Vulnerability Summary for CVE-2011-0419

Original release date:05/16/2011

Last revised:10/30/2012

Source: US-CERT/NIST

Overview

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows disruption of serviceUnknown

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=703390

Type: Patch Information

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=703390

External Source: CONFIRM

Name: http://www.apache.org/dist/httpd/Announcement2.2.html

Type: Patch Information

Hyperlink:http://www.apache.org/dist/httpd/Announcement2.2.html

External Source: CONFIRM

Name: http://www.apache.org/dist/apr/Announcement1.x.html

Type: Patch Information

Hyperlink:http://www.apache.org/dist/apr/Announcement1.x.html

External Source: CONFIRM

Name: http://svn.apache.org/viewvc?view=revision&revision=1098799

Type: Patch Information

Hyperlink:http://svn.apache.org/viewvc?view=revision&revision=1098799

External Source: CONFIRM

Name: http://svn.apache.org/viewvc?view=revision&revision=1098188

Type: Patch Information

Hyperlink:http://svn.apache.org/viewvc?view=revision&revision=1098188

External Source: CONFIRM

Name: http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902

Type: Patch Information

Hyperlink:http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902

External Source: MISC

Name: http://cxib.net/stuff/apache.fnmatch.phps

Type: Patch Information

Hyperlink:http://cxib.net/stuff/apache.fnmatch.phps

External Source: REDHAT

Name: RHSA-2011:0897

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-0897.html

External Source: REDHAT

Name: RHSA-2011:0896

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-0896.html

External Source: REDHAT

Name: RHSA-2011:0507

Hyperlink:http://www.redhat.com/support/errata/RHSA-2011-0507.html

External Source: CONFIRM

Name: http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

Hyperlink:http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

External Source: CONFIRM

Name: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15

Hyperlink:http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15

External Source: MANDRIVA

Name: MDVSA-2011:084

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:084

External Source: MLIST

Name: [dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released

Hyperlink:http://www.mail-archive.com/dev@apr.apache.org/msg23976.html

External Source: MLIST

Name: [dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released

Hyperlink:http://www.mail-archive.com/dev@apr.apache.org/msg23961.html

External Source: MLIST

Name: [dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3

Hyperlink:http://www.mail-archive.com/dev@apr.apache.org/msg23960.html

External Source: DEBIAN

Name: DSA-2237

Hyperlink:http://www.debian.org/security/2011/dsa-2237

External Source: CONFIRM

Name: http://www.apache.org/dist/apr/CHANGES-APR-1.4

Hyperlink:http://www.apache.org/dist/apr/CHANGES-APR-1.4

External Source: CONFIRM

Name: http://support.apple.com/kb/HT5002

Hyperlink:http://support.apple.com/kb/HT5002

External Source: SECTRACK

Name: 1025527

Hyperlink:http://securitytracker.com/id?1025527

External Source: SREASON

Name: 8246

Hyperlink:http://securityreason.com/securityalert/8246

External Source: SREASONRES

Name: 20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache)

Hyperlink:http://securityreason.com/achievement_securityalert/98

External Source: SECUNIA

Name: 44574

Type: Advisory

Hyperlink:http://secunia.com/advisories/44574

External Source: SECUNIA

Name: 44564

Type: Advisory

Hyperlink:http://secunia.com/advisories/44564

External Source: SECUNIA

Name: 44490

Type: Advisory

Hyperlink:http://secunia.com/advisories/44490

External Source: OVAL

Name: oval:org.mitre.oval:def:14804

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14804

External Source: OVAL

Name: oval:org.mitre.oval:def:14638

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14638

External Source: HP

Name: HPSBOV02822

Hyperlink:http://marc.info/?l=bugtraq&m=134987041210674&w=2

External Source: HP

Name: SSRT100966

Hyperlink:http://marc.info/?l=bugtraq&m=134987041210674&w=2

External Source: HP

Name: HPSBMU02704

Hyperlink:http://marc.info/?l=bugtraq&m=132033751509019&w=2

External Source: HP

Name: HPSBUX02707

Hyperlink:http://marc.info/?l=bugtraq&m=131731002122529&w=2

External Source: HP

Name: SSRT100626

Hyperlink:http://marc.info/?l=bugtraq&m=131731002122529&w=2

External Source: HP

Name: HPSBUX02702

Hyperlink:http://marc.info/?l=bugtraq&m=131551295528105&w=2

External Source: HP

Name: SSRT100606

Hyperlink:http://marc.info/?l=bugtraq&m=131551295528105&w=2

External Source: SUSE

Name: SUSE-SU-2011:1229

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html

External Source: APPLE

Name: APPLE-SA-2011-10-12-3

Hyperlink:http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

External Source: CONFIRM

Name: http://httpd.apache.org/security/vulnerabilities_22.html

Type: Advisory

Hyperlink:http://httpd.apache.org/security/vulnerabilities_22.html

External Source: MISC

Name: http://cxib.net/stuff/apr_fnmatch.txts

Hyperlink:http://cxib.net/stuff/apr_fnmatch.txts

External Source: CONFIRM

Name: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22

Hyperlink:http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22

Vulnerable software and versions

Configuration 1

* cpe:/a:apache:portable_runtime:0.9.5

* cpe:/a:apache:portable_runtime:0.9.6

* cpe:/a:apache:portable_runtime:0.9.3-dev

* cpe:/a:apache:portable_runtime:0.9.4

* cpe:/a:apache:portable_runtime:0.9.2-dev

* cpe:/a:apache:portable_runtime:0.9.3

* cpe:/a:apache:portable_runtime:0.9.1

* cpe:/a:apache:portable_runtime:0.9.2

* cpe:/a:apache:portable_runtime:1.3.1

* cpe:/a:apache:portable_runtime:1.3.2

* cpe:/a:apache:portable_runtime:0.9.16-dev

* cpe:/a:apache:portable_runtime:1.3.0

* cpe:/a:apache:portable_runtime:0.9.8

* cpe:/a:apache:portable_runtime:0.9.9

* cpe:/a:apache:portable_runtime:0.9.7

* cpe:/a:apache:portable_runtime:0.9.7-dev

* cpe:/a:apache:portable_runtime:1.3.8

* cpe:/a:apache:portable_runtime:1.3.7

* cpe:/a:apache:portable_runtime:1.3.5

* cpe:/a:apache:portable_runtime:1.3.4

* cpe:/a:apache:portable_runtime:1.3.3

* cpe:/a:apache:portable_runtime:1.3.4-dev

* cpe:/a:apache:portable_runtime:1.3.6-dev

* cpe:/a:apache:portable_runtime:1.3.6

* cpe:/a:apache:portable_runtime:1.3.9

* cpe:/a:apache:portable_runtime:1.3.10

* cpe:/a:apache:portable_runtime:1.3.11

* cpe:/a:apache:portable_runtime:1.3.12

* cpe:/a:apache:portable_runtime:1.3.13

* cpe:/a:apache:portable_runtime:1.4.0

* cpe:/a:apache:portable_runtime:1.4.1

* cpe:/a:apache:portable_runtime:1.4.2 and previous versions

Configuration 2

* cpe:/a:apache:http_server:1.3.35

* cpe:/a:apache:http_server:1.3.20

* cpe:/a:apache:http_server:1.3.34

* cpe:/a:apache:http_server:1.3.36

* cpe:/a:apache:http_server:2.1.1

* cpe:/a:apache:http_server:2.1.2

* cpe:/a:apache:http_server:1.3.39

* cpe:/a:apache:http_server:2.1.3

* cpe:/a:apache:http_server:2.0.61

* cpe:/a:apache:http_server:2.0.58

* cpe:/a:apache:http_server:2.1

* cpe:/a:apache:http_server:2.0.55

* cpe:/a:apache:http_server:2.0.54

* cpe:/a:apache:http_server:2.0.57

* cpe:/a:apache:http_server:2.0.56

* cpe:/a:apache:http_server:2.0.51

* cpe:/a:apache:http_server:2.0.50

* cpe:/a:apache:http_server:2.0.53

* cpe:/a:apache:http_server:2.0.52

* cpe:/a:apache:http_server:2.0.47

* cpe:/a:apache:http_server:2.0.46

* cpe:/a:apache:http_server:2.0.49

* cpe:/a:apache:http_server:2.0.48

* cpe:/a:apache:http_server:2.0.43

* cpe:/a:apache:http_server:1.3.19

* cpe:/a:apache:http_server:2.0.42

* cpe:/a:apache:http_server:1.3.18

* cpe:/a:apache:http_server:2.0.45

* cpe:/a:apache:http_server:1.3.17

* cpe:/a:apache:http_server:2.0.44

* cpe:/a:apache:http_server:1.3.14

* cpe:/a:apache:http_server:1.3.41

* cpe:/a:apache:http_server:1.3.0

* cpe:/a:apache:http_server:1.3.38

* cpe:/a:apache:http_server:2.0.63

* cpe:/a:apache:http_server:1.3.24

* cpe:/a:apache:http_server:1.3.25

* cpe:/a:apache:http_server:1.3.22

* cpe:/a:apache:http_server:1.3.23

* cpe:/a:apache:http_server:1.3.27

* cpe:/a:apache:http_server:1.3.26

* cpe:/a:apache:http_server:1.3.42

* cpe:/a:apache:http_server:1.3.2

* cpe:/a:apache:http_server:1.3.10

* cpe:/a:apache:http_server:1.2.9

* cpe:/a:apache:http_server:1.2

* cpe:/a:apache:http_server:1.3.16

* cpe:/a:apache:http_server:1.3.15

* cpe:/a:apache:http_server:1.3.13

* cpe:/a:apache:http_server:1.3.37

* cpe:/a:apache:http_server:2.0.59

* cpe:/a:apache:http_server:2.0.9

* cpe:/a:apache:http_server:2.0.60

* cpe:/a:apache:http_server:1.0

* cpe:/a:apache:http_server:0.8.14

* cpe:/a:apache:http_server:0.8.11

* cpe:/a:apache:http_server:1.1

* cpe:/a:apache:http_server:1.0.5

* cpe:/a:apache:http_server:1.0.3

* cpe:/a:apache:http_server:1.0.2

* cpe:/a:apache:http_server:1.1.1

* cpe:/a:apache:http_server:1.2.5

* cpe:/a:apache:http_server:1.3.65

* cpe:/a:apache:http_server:1.3.1

* cpe:/a:apache:http_server:1.3.11

* cpe:/a:apache:http_server:1.99

* cpe:/a:apache:http_server:1.3.12

* cpe:/a:apache:http_server:1.3.68

* cpe:/a:apache:http_server:1.3.28

* cpe:/a:apache:http_server:1.3.29

* cpe:/a:apache:http_server:1.3.3

* cpe:/a:apache:http_server:1.3.30

* cpe:/a:apache:http_server:1.3.31

* cpe:/a:apache:http_server:1.3

* cpe:/a:apache:http_server:1.3.32

* cpe:/a:apache:http_server:1.2.4

* cpe:/a:apache:http_server:1.3.33

* cpe:/a:apache:http_server:1.3.1.1

* cpe:/a:apache:http_server:1.3.4

* cpe:/a:apache:http_server:1.2.6

* cpe:/a:apache:http_server:1.3.5

* cpe:/a:apache:http_server:1.4.0

* cpe:/a:apache:http_server:1.3.6

* cpe:/a:apache:http_server:1.3.8

* cpe:/a:apache:http_server:1.3.7

* cpe:/a:apache:http_server:2.0

* cpe:/a:apache:http_server:1.3.9

* cpe:/a:apache:http_server:2.0.28:beta

* cpe:/a:apache:http_server:2.0.28

* cpe:/a:apache:http_server:2.0.32:beta

* cpe:/a:apache:http_server:2.0.32

* cpe:/a:apache:http_server:2.0.35

* cpe:/a:apache:http_server:2.0.34:beta

* cpe:/a:apache:http_server:2.0.37

* cpe:/a:apache:http_server:2.0.36

* cpe:/a:apache:http_server:2.0.39

* cpe:/a:apache:http_server:2.0.38

* cpe:/a:apache:http_server:2.0.41

* cpe:/a:apache:http_server:2.0.40

* cpe:/a:apache:http_server:2.1.4

* cpe:/a:apache:http_server:2.1.5

* cpe:/a:apache:http_server:2.1.6

* cpe:/a:apache:http_server:2.1.7

* cpe:/a:apache:http_server:2.1.8

* cpe:/a:apache:http_server:2.1.9

* cpe:/a:apache:http_server:2.2

* cpe:/a:apache:http_server:2.2.0

* cpe:/a:apache:http_server:2.2.1

* cpe:/a:apache:http_server:2.2.10

* cpe:/a:apache:http_server:2.2.11

* cpe:/a:apache:http_server:2.2.12

* cpe:/a:apache:http_server:2.2.13

* cpe:/a:apache:http_server:2.2.14

* cpe:/a:apache:http_server:2.2.15

* cpe:/a:apache:http_server:2.2.16

* cpe:/a:apache:http_server:2.2.2

* cpe:/a:apache:http_server:2.2.3

* cpe:/a:apache:http_server:2.2.4

* cpe:/a:apache:http_server:2.2.6

* cpe:/a:apache:http_server:2.2.8

* cpe:/a:apache:http_server:2.2.9

* cpe:/a:apache:http_server:2.2.17 and previous versions

Configuration 3

* cpe:/o:netbsd:netbsd:5.1

* cpe:/o:openbsd:openbsd:4.8

* cpe:/o:freebsd:freebsd

* cpe:/o:apple:mac_os_x:10.6.0

* cpe:/o:oracle:solaris:10

* cpe:/o:google:android

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Resource Management Errors (CWE-399)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419