Oracle HTTP Server 10.1.3.5.0/11.1.1.7.0/12.1.2.0 Web Listener server/util.c ap_pregsub numeric error
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in Oracle HTTP Server 10.1.3.5.0/11.1.1.7.0/12.1.2.0. This impacts the function ap_pregsub of the file server/util.c of the component Web Listener. This manipulation causes numeric error.
This vulnerability is handled as CVE-2011-3607. Additionally, an exploit exists.
It is advisable to upgrade the affected component.
Details
A vulnerability classified as problematic was found in Oracle HTTP Server 10.1.3.5.0/11.1.1.7.0/12.1.2.0 (Web Server). Affected by this vulnerability is the function ap_pregsub of the file server/util.c of the component Web Listener. The manipulation with an unknown input leads to a numeric error vulnerability. The CWE definition for the vulnerability is CWE-189. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
The weakness was released 01/20/2015 by halfdog as Oracle Critical Patch Update Advisory - January 2015 as confirmed advisory (Website). It is possible to read the advisory at oracle.com. This vulnerability is known as CVE-2011-3607 since 09/21/2011. Attacking locally is a requirement. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known.
It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept. We expect the 0-day to have been worth approximately $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 68488 (Oracle Linux 5 : httpd (ELSA-2012-0323)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350701 (Amazon Linux Security Advisory for httpd: ALAS-2012-046).
Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (71093), Exploit-DB (41769), Tenable (68488), SecurityFocus (BID 50494†) and OSVDB (76744†). Additional details are provided at blogs.oracle.com. Entries connected to this vulnerability are available at VDB-68712, VDB-68703, VDB-68721 and VDB-68720. Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.oracle.com
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.9
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Numeric errorCWE: CWE-189
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 68488
Nessus Name: Oracle Linux 5 : httpd (ELSA-2012-0323)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 70724
OpenVAS Name: Debian Security Advisory DSA 2405-1 (apache2)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
Exposure Time: 🔍
Timeline
09/21/2011 🔍11/02/2011 🔍
11/02/2011 🔍
11/02/2011 🔍
11/08/2011 🔍
11/08/2011 🔍
11/14/2011 🔍
07/12/2013 🔍
01/20/2015 🔍
01/20/2015 🔍
01/21/2015 🔍
08/10/2024 🔍
Sources
Vendor: oracle.comAdvisory: Oracle Critical Patch Update Advisory - January 2015
Researcher: halfdog
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2011-3607 (🔍)
GCVE (CVE): GCVE-0-2011-3607
GCVE (VulDB): GCVE-100-68671
OVAL: 🔍
X-Force: 71093 - Apache HTTP Server ap_pregsub() buffer overflow
SecurityFocus: 50494 - Apache HTTP Server 'ap_pregsub()' Function Local Privilege Escalation Vulnerability
Secunia: 45793 - Apache HTTP Server "ap_pregsub()" Privilege Escalation Vulnerability, Less Critical
OSVDB: 76744
SecurityTracker: 1026267 - Apache .htaccess File Integer Overflow Lets Local Users Execute Arbitrary Code
Vulnerability Center: 33828 - [cpujan2015-1972971] Apache HTTP Server 2.0.x-2.0.64 and 2.2.x-2.2.21 Local Integer Overflow Vulnerability, High
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 01/21/2015 11:33Updated: 08/10/2024 06:44
Changes: 01/21/2015 11:33 (86), 04/05/2017 09:02 (7), 03/02/2022 22:10 (3), 08/10/2024 06:44 (24)
Complete: 🔍
Cache ID: 216:92C:103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.