Apache HTTP Server security may be impacted by missing bounds checks in the SDBM implementation from APR prior to version 1.6.3 (released October 22, 2017) [1]. SDBM can be used in various parts of Apache HTTP Server including most notably for authentication and object caching. While it is unlikely that a remote attacker could ever present the server with crafted SDBM pages, the possibility exists that an attacker may be able to leverage this behavior in a shared hosting environment to extract secrets from other sites.
These issues were identified using the AFL fuzzer with ASAN and have been assigned CVE-2017-12618 (APR). As previously noted, the custom pool allocator used in APR can mask memory safety issues from ASAN so it is possible that the risk may extend beyond application crashes and information disclosure [2]. [1] http://www.apache.org/dist/apr/Announcement1.x.html [2] https://fuzzing-project.org/tutorial-tips.html Best Regards, Craig Young Principal Security Researcher, Tripwire VERT
