NVD Vulnerability Detail

CVE-2009-1956

Summary	Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
Publication Date	June 8, 2009, 10 a.m.
Registration Date	Jan. 29, 2021, 1:19 p.m.
Last Update	Nov. 7, 2023, 11:04 a.m.

CVSS2.0 : MEDIUM
Score	6.4
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:apr-util::::::::			1.3.4

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:apache:http_server::::::::		2.2.0			2.2.12

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:8.04::::-:::
cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://svn.apache.org/viewvc?view=rev&revision=768417	CONFIRM	Patch Third Party Advisory
2	http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3	CONFIRM	Vendor Advisory
3	https://bugzilla.redhat.com/show_bug.cgi?id=504390	CONFIRM	Exploit Issue Tracking Patch Third Party Advisory
4	http://www.openwall.com/lists/oss-security/2009/06/06/1	MLIST	Exploit Mailing List Patch
5	http://www.mandriva.com/security/advisories?name=MDVSA-2009:131	MANDRIVA	Broken Link
6	http://www.ubuntu.com/usn/usn-786-1	UBUNTU	Third Party Advisory
7	http://www.securityfocus.com/bid/35251	BID	Third Party Advisory VDB Entry
8	http://www.redhat.com/support/errata/RHSA-2009-1107.html	REDHAT	Third Party Advisory
9	http://www.redhat.com/support/errata/RHSA-2009-1108.html	REDHAT	Third Party Advisory
10	http://secunia.com/advisories/34724	SECUNIA	Broken Link
11	http://secunia.com/advisories/35487	SECUNIA	Broken Link
12	http://secunia.com/advisories/35395	SECUNIA	Broken Link
13	http://www.ubuntu.com/usn/usn-787-1	UBUNTU	Third Party Advisory
14	https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html	FEDORA	Third Party Advisory
15	https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html	FEDORA	Third Party Advisory
16	https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html	FEDORA	Third Party Advisory
17	http://secunia.com/advisories/35565	SECUNIA	Broken Link
18	http://secunia.com/advisories/35710	SECUNIA	Broken Link
19	http://secunia.com/advisories/35843	SECUNIA	Broken Link
20	http://security.gentoo.org/glsa/glsa-200907-03.xml	GENTOO	Third Party Advisory
21	http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241	AIXAPAR	Third Party Advisory
22	http://www-01.ibm.com/support/docview.wss?uid=swg1PK88341	AIXAPAR	Third Party Advisory
23	http://secunia.com/advisories/35797	SECUNIA	Broken Link
24	http://secunia.com/advisories/35284	SECUNIA	Broken Link
25	http://www.vupen.com/english/advisories/2009/1907	VUPEN	Permissions Required
26	http://support.apple.com/kb/HT3937	CONFIRM	Third Party Advisory
27	http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html	APPLE	Mailing List Third Party Advisory
28	http://www.vupen.com/english/advisories/2009/3184	VUPEN	Permissions Required
29	http://www-01.ibm.com/support/docview.wss?uid=swg27014463	CONFIRM	Third Party Advisory
30	http://secunia.com/advisories/37221	SECUNIA	Broken Link
31	http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478	AIXAPAR	Third Party Advisory
32	http://marc.info/?l=bugtraq&m=129190899612998&w=2	HP	Mailing List Third Party Advisory
33	http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html	CONFIRM	Third Party Advisory
34	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150	MANDRIVA	Broken Link
35	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12237	OVAL	Third Party Advisory
36	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11567	OVAL	Third Party Advisory
37	http://www.mail-archive.com/dev%40apr.apache.org/msg21592.html
38	http://www.mail-archive.com/dev%40apr.apache.org/msg21591.html
39	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
40	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
41	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
42	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
43	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
44	https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E
45	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
46	https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E
47	https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E
48	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
49	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
50	https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
51	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

JVN Vulnerability Information

Apache APR-util の apr_brigade_vprintf 関数における重要な情報を取得される脆弱性

Title	Apache APR-util の apr_brigade_vprintf 関数における重要な情報を取得される脆弱性
Summary	Apache APR-util の apr_brigade_vprintf 関数には、入力処理に不備があるため、重要な情報を取得される、またはサービス運用妨害 (DoS) 状態となる脆弱性が存在します。
Possible impacts	第三者に重要な情報を取得される、あるいはサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 8, 2009, midnight
Registration Date	Aug. 5, 2009, 11:31 a.m.
Last Update	April 19, 2013, 3:07 p.m.

Affected System

レッドハット

Red Hat Enterprise Linux 3 (as)

Red Hat Enterprise Linux 3 (es)

Red Hat Enterprise Linux 3 (ws)

Red Hat Enterprise Linux 4 (as)

Red Hat Enterprise Linux 4 (es)

Red Hat Enterprise Linux 4 (ws)

Red Hat Enterprise Linux 4.8 (as)

Red Hat Enterprise Linux 4.8 (es)

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 3.0

Red Hat Enterprise Linux Desktop 4.0

Red Hat Enterprise Linux Desktop 5.0 (client)

Red Hat Enterprise Linux EUS 5.3.z (server)

RHEL Desktop Workstation 5 (client)

ヒューレット・パッカード

HP-UX 11.11

HP-UX 11.23

HP-UX 11.31

HP-UX Apache-based Web Server v.2.2.15.03 未満

Apache Software Foundation

Apache HTTP Server 2.2.12 未満

APR-util 1.3.7 未満

オラクル

Oracle HTTP Server

Oracle Solaris 10

IBM

IBM HTTP Server 2.0.47.x

IBM HTTP Server 6.0.2.37 未満

IBM HTTP Server 6.1.0.27 未満

IBM HTTP Server 7.0.0.7 未満

IBM WebSphere Application Server 6.0.2.37 未満

IBM WebSphere Application Server 6.1.0.27 未満

IBM WebSphere Application Server 7.0.0.7 未満

ターボリナックス

Turbolinux Appliance Server 2.0

Turbolinux Appliance Server 3.0

Turbolinux Appliance Server 3.0 (x64)

Turbolinux Client 2008

Turbolinux FUJI (延長メンテナンス)

Turbolinux Server 10

Turbolinux Server 10 (x64)

Turbolinux Server 11

Turbolinux Server 11 (x64)

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

Asianux Server 3.0

Asianux Server 3.0 (x86-64)

Asianux Server 4.0

Asianux Server 4.0 (x86-64)

アップル

Apple Mac OS X v10.5.8

Apple Mac OS X v10.6

Apple Mac OS X v10.6.1

Apple Mac OS X Server v10.5.8

Apple Mac OS X Server v10.6

Apple Mac OS X Server v10.6.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-1956	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
National Vulnerability Database (NVD)
2	CVE-2009-1956	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1956

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Apache httpd 2.2 vulnerabilities
1	Fixed in Apache httpd 2.2.12	http://httpd.apache.org/security/vulnerabilities_22.html#2.2.12
Apache Software Foundation
2	CHANGES-APR-UTIL-1.3	http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
Apple Security Updates
3	HT3937	http://support.apple.com/kb/HT3937
Apple セキュリティアップデート
4	HT3937	http://support.apple.com/kb/HT3937?viewlocale=ja_JP
Asianux Technical Support Network
5	apr-util-1.2.7-7AXS3.1	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=445
Hewlett Packard
6	HPUXWSATW313	https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW313
HP Security Bulletin
7	HPSBUX02612	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c02579879
IBM Support Document
8	4023947	http://www-01.ibm.com/support/docview.wss?uid=swg24023947
9	7006876	http://www-01.ibm.com/support/docview.wss?uid=swg27006876#60237
10	7007033	http://www-01.ibm.com/support/docview.wss?uid=swg27007033#60237
11	7007951	http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61027
12	7008517	http://www-01.ibm.com/support/docview.wss?uid=swg27008517#61027
13	7014463	http://www-01.ibm.com/support/docview.wss?uid=swg27014463#7007
14	7014506	http://www-01.ibm.com/support/docview.wss?uid=swg27014506#7007
15	PK91241	http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241
16	PM10658	http://www-01.ibm.com/support/docview.wss?uid=swg1PM10658
MIRACLE LINUX アップデート情報
17	1732	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1732
18	1742	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1742
Oracle Critical Patch Update
19	Oracle Critical Patch Update Advisory - April 2013	http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
20	Text Form of Oracle Critical Patch Update - April 2013 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuapril2013verbose-1899563.html
Red Hat Security Advisory
21	RHSA-2009:1107	https://rhn.redhat.com/errata/RHSA-2009-1107.html
22	RHSA-2009:1108	https://rhn.redhat.com/errata/RHSA-2009-1108.html
SECURITY BLOG
23	April 2013 Critical Patch Update Released	https://blogs.oracle.com/security/entry/april_2013_critical_patch_update
24	cve_2009_1956_numeric_errors	http://blogs.oracle.com/sunsecurity/entry/cve_2009_1956_numeric_errors
Turbolinux Security Advisory
25	TLSA-2010-30	http://www.turbolinux.co.jp/security/2010/TLSA-2010-30j.txt
レッドハットセキュリティーアップデート
26	RHSA-2009:1107	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1107J.html
27	RHSA-2009:1108	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1108J.html

その他

No	Name	URL
ISS X-Force Database
1	50993	http://xforce.iss.net/xforce/xfdb/50993
Secunia Advisory
2	SA34724	http://secunia.com/advisories/34724
3	SA35284	http://secunia.com/advisories/35284
4	SA35487	http://secunia.com/advisories/35487
5	SA35797	http://secunia.com/advisories/35797
6	SA35843	http://secunia.com/advisories/35843
SecurityFocus
7	35251	http://www.securityfocus.com/bid/35251

Change Log

No	Changed Details	Date of change
0	[2009年08月05日] 掲載 [2009年09月28日] 影響を受けるシステム：IBM の情報を追加・4023947 ・7007033 ・7006876 ・7007951 ・7008517 ベンダ情報: IBM を追加・4023947 ・7007033 ・7006876 ・7007951 ・7008517 [2009年12月15日] 影響を受けるシステム：IBM (7014506) の情報を追加影響を受けるシステム：IBM (7014463) の情報を追加影響を受けるシステム：アップル (HT3937) の情報を追加ベンダ情報：IBM (7014506) を追加ベンダ情報：IBM (7014463) を追加ベンダ情報：アップル (HT3937) を追加 [2010年04月28日] 影響を受けるシステム：IBM (PM10658) の情報を追加ベンダ情報：IBM (PM10658) を追加 [2010年09月27日] 影響を受けるシステム：ターボリナックス (TLSA-2010-30) の情報を追加ベンダ情報：ターボリナックス (TLSA-2010-30) を追加 [2010年12月15日] 影響を受けるシステム：ヒューレット・パッカード (HPUXWSATW313) の情報を追加影響を受けるシステム：ヒューレット・パッカード (HPSBUX02612) の情報を追加ベンダ情報：ヒューレット・パッカード (HPUXWSATW313) を追加ベンダ情報：ヒューレット・パッカード (HPSBUX02612) を追加 [2011年05月19日] 影響を受けるシステム：オラクル (cve_2009_1956_numeric_errors) の情報を追加ベンダ情報：オラクル (cve_2009_1956_numeric_errors) を追加 [2013年04月19日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - April 2013) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - April 2013) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - April 2013 Risk Matrices) を追加ベンダ情報：オラクル (April 2013 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.