A recently disclosed vulnerability in the Apache Portable Runtime (APR) library could expose sensitive Unix platform application data.
Identified as CVE-2023-49582, the flaw arises from lax permissions on shared memory segments, which could allow unauthorized local users to access sensitive information.
The Apache Portable Runtime (APR) is a set of libraries developed by the Apache Software Foundation that provide a consistent interface for system-level and network programming across different operating systems.
APR allows software developers to write code that can run on different platforms without having to rewrite platform-specific functionality.
“Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.”
“This vulnerability that was reported by security researcher Thomas Stangner does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.
The vulnerability affects all Unix-based systems running APR versions from 0.9.0 to 1.7.4. However, systems configured with APR_USE_SHMEM_SHMGET=1 in apr.h are not impacted. Non-Unix platforms are also not affected by this issue.
Users and administrators are strongly advised to upgrade to APR version 1.7.5, which addresses and resolves this security flaw. The update ensures that shared memory permissions are appropriately restricted, preventing unauthorized data access.
- CVE Identifier: CVE-2023-49582
- Severity: Moderate
- Affected Software: Apache Portable Runtime (APR) versions 0.9.0 through 1.7.4
- Platform: Unix (non-Unix platforms unaffected)
- Patch Available: Upgrade to APR version 1.7.5
Stay informed and secure your systems by promptly applying the necessary updates.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot