CVE-2022-28331: Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function
First published: Tue Jan 31 2023(Updated: )
Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_socket_sendv() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Portable Runtime | <=1.7.0 | |
| Microsoft Windows | ||
| IBM Engineering Requirements Management DOORS | <=9.7.2.8 | |
| IBM Engineering Requirements Management DOORS Web Access | <=9.7.2.8 | |
| IBM IBM® Rational DOORS/DOORS Web Access | <=9.6.1.x |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r
- https://access.redhat.com/errata/RHSA-2023:4628
- https://access.redhat.com/security/cve/cve-2022-28331
- https://access.redhat.com/errata/RHSA-2023:4910
- https://bugzilla.redhat.com/show_bug.cgi?id=2172556
- https://exchange.xforce.ibmcloud.com/vulnerabilities/246065
- https://www.ibm.com/support/pages/node/7160471 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-28331?
The severity of CVE-2022-28331 is critical with a CVSS v3 score of 9.8.
Which software is affected by CVE-2022-28331?
The Apache Portable Runtime version 1.7.0 and earlier on Windows is affected by CVE-2022-28331.
How does CVE-2022-28331 impact Windows?
CVE-2022-28331 may allow an attacker to write beyond the end of a stack-based buffer in apr_socket_sendv() on Windows systems.
Are Microsoft Windows systems vulnerable to CVE-2022-28331?
No, Microsoft Windows systems are not vulnerable to CVE-2022-28331.
How can I fix CVE-2022-28331?
Update to Apache Portable Runtime version 1.7.1 or later to fix CVE-2022-28331.
- collector/nvd-index
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-28331
- agent/author
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/apache portable runtime
- version/apache portable runtime/1.7.0
- vendor/microsoft
- canonical/microsoft windows
- vendor/ibm
- canonical/ibm engineering requirements management doors
- version/ibm engineering requirements management doors/9.7.2.8
- canonical/ibm engineering requirements management doors web access
- version/ibm engineering requirements management doors web access/9.7.2.8
- canonical/ibm ibm® rational doors/doors web access
- version/ibm ibm® rational doors/doors web access/9.6.1.x