CVE-2021-35940

Summary

CVE	CVE-2021-35940
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-23 10:15:00 UTC
Updated	2023-11-07 03:36:00 UTC
Description	An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Risk And Classification

Problem Types: CWE-125

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Portable Runtime	All	All	All	All
Application	Apache	Portable Runtime	1.7.0	All	All	All
Application	Oracle	Http Server	12.2.1.3.0	All	All	All
Application	Oracle	Http Server	12.2.1.4.0	All	All	All

References

Reference	Source	Link	Tags
[apr-dev] 20210831 APR 1.7.1 release?		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[apr-dev] 20210901 Re: APR 1.7.1 release?		lists.apache.org
[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released		mail-archives.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released	CONFIRM	mail-archives.apache.org
oss-security - CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613	MLIST	www.openwall.com
[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940		lists.apache.org
[Apache-SVN] Revision 1891198	CONFIRM	svn.apache.org
[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940		lists.apache.org
[apr-dev] 20210831 Re: APR 1.7.1 release?		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940		lists.apache.org
[httpd-dev] 20210831 APR 1.7.1 release?		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
Pony Mail!	CONFIRM	lists.apache.org
N/A	CONFIRM	dist.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue.

Legacy QID Mappings

180350 Debian Security Update for apr (CVE-2021-35940)
198474 Ubuntu Security Notification for APR Vulnerability (USN-5056-1)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
354758 Amazon Linux Security Advisory for apr : ALAS2-2023-1936
355339 Amazon Linux Security Advisory for apr : ALAS2023-2023-016
376737 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUJUL2022)
501356 Alpine Linux Security Update for apr
502206 Alpine Linux Security Update for apr
503863 Alpine Linux Security Update for apr