First published: Tue Jan 31 2023(Updated: )
A flaw was found in the Apache Portable Runtime Utility (APR-util) library. This issue may allow a malicious attacker to cause an out-of-bounds write due to an integer overflow when encoding/decoding a very long string using the base64 family of functions.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-apr-util | <0:1.6.1-101.el8 | 0:1.6.1-101.el8 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-101.el7 | 0:1.6.1-101.el7 |
redhat/apr-util | <0:1.5.2-6.el7_9.1 | 0:1.5.2-6.el7_9.1 |
redhat/apr-util | <0:1.6.1-6.el8_8.1 | 0:1.6.1-6.el8_8.1 |
redhat/apr-util | <0:1.6.1-6.el8_1.1 | 0:1.6.1-6.el8_1.1 |
redhat/apr-util | <0:1.6.1-6.el8_2.1 | 0:1.6.1-6.el8_2.1 |
redhat/apr-util | <0:1.6.1-6.el8_4.1 | 0:1.6.1-6.el8_4.1 |
redhat/apr-util | <0:1.6.1-6.el8_6.1 | 0:1.6.1-6.el8_6.1 |
redhat/apr-util | <0:1.6.1-20.el9_2.1 | 0:1.6.1-20.el9_2.1 |
redhat/apr-util | <0:1.6.1-20.el9_0.1 | 0:1.6.1-20.el9_0.1 |
Apache Portable Runtime Utility | <=1.6.1 | |
redhat/apr-util | <1.6.2 | 1.6.2 |
IBM Engineering Requirements Management DOORS | <=9.7.2.8 | |
IBM Engineering Requirements Management DOORS Web Access | <=9.7.2.8 | |
IBM IBM® Rational DOORS/DOORS Web Access | <=9.6.1.x |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-25147 is a vulnerability in the Apache Portable Runtime Utility (APR-util) library that allows a remote attacker to execute arbitrary code or cause a denial of service.
CVE-2022-25147 is considered critical with a severity score of 9.8 out of 10.
The affected software includes apr-util 1.6.2, jbcs-httpd24-apr-util 1.6.1-101.el8, jbcs-httpd24-apr-util 1.6.1-101.el7, apr-util 1.5.2-6.el7_9, apr-util 1.6.1-6.el8_8, apr-util 1.6.1-6.el8_1, apr-util 1.6.1-6.el8_2, apr-util 1.6.1-6.el8_4, apr-util 1.6.1-6.el8_6, apr-util 1.6.1-20.el9_2, apr-util 1.6.1-20.el9_0, and IBM QRadar SIEM 7.5.0 - 7.5.0 UP6.
CVE-2022-25147 can be exploited by sending a specially-crafted request to the vulnerable system.
Yes, updating to apr-util version 1.6.2 or applying the recommended patches from the respective software vendors will fix CVE-2022-25147.