Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-0883

Overview

Vulnerability Score 6.9 6.9
CVE Id CVE-2012-0883
Last Modified 17 Sep 2013 11:18:41
Published 18 Apr 2012 06:33:33
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity MEDIUM
Authentication NONE

CVE-2012-0883

Summary

envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.

Vulnerable Systems

Application

  • Apache Http Server 0.8.11

  • Apache Http Server 0.8.14

  • Apache Http Server 1.0

  • Apache Http Server 1.0.2

  • Apache Http Server 1.0.3

  • Apache Http Server 1.0.5

  • Apache Http Server 1.1

  • Apache Http Server 1.1.1

  • Apache Http Server 1.2

  • Apache Http Server 1.2.4

  • Apache Http Server 1.2.5

  • Apache Http Server 1.2.6

  • Apache Http Server 1.2.9

  • Apache Http Server 1.3

  • Apache Http Server 1.3.0

  • Apache Http Server 1.3.1

  • Apache Http Server 1.3.1.1

  • Apache Http Server 1.3.10

  • Apache Http Server 1.3.11

  • Apache Http Server 1.3.12

  • Apache Http Server 1.3.13

  • Apache Http Server 1.3.14

  • Apache Http Server 1.3.15

  • Apache Http Server 1.3.16

  • Apache Http Server 1.3.17

  • Apache Http Server 1.3.18

  • Apache Http Server 1.3.19

  • Apache Http Server 1.3.2

  • Apache Http Server 1.3.20

  • Apache Http Server 1.3.22

  • Apache Http Server 1.3.23

  • Apache Http Server 1.3.24

  • Apache Http Server 1.3.25

  • Apache Http Server 1.3.26

  • Apache Http Server 1.3.27

  • Apache Http Server 1.3.28

  • Apache Http Server 1.3.29

  • Apache Http Server 1.3.3

  • Apache Http Server 1.3.30

  • Apache Http Server 1.3.31

  • Apache Http Server 1.3.32

  • Apache Http Server 1.3.33

  • Apache Http Server 1.3.34

  • Apache Http Server 1.3.35

  • Apache Http Server 1.3.36

  • Apache Http Server 1.3.37

  • Apache Http Server 1.3.38

  • Apache Http Server 1.3.39

  • Apache Http Server 1.3.4

  • Apache Http Server 1.3.41

  • Apache Http Server 1.3.42

  • Apache Http Server 1.3.5

  • Apache Http Server 1.3.6

  • Apache Http Server 1.3.65

  • Apache Http Server 1.3.68

  • Apache Http Server 1.3.7

  • Apache Http Server 1.3.8

  • Apache Http Server 1.3.9

  • Apache Http Server 1.4.0

  • Apache Http Server 1.99

  • Apache Http Server 2.0

  • Apache Http Server 2.0.28

  • Apache Http Server 2.0.32

  • Apache Http Server 2.0.34

  • Apache Http Server 2.0.35

  • Apache Http Server 2.0.36

  • Apache Http Server 2.0.37

  • Apache Http Server 2.0.38

  • Apache Http Server 2.0.39

  • Apache Http Server 2.0.40

  • Apache Http Server 2.0.41

  • Apache Http Server 2.0.42

  • Apache Http Server 2.0.43

  • Apache Http Server 2.0.44

  • Apache Http Server 2.0.45

  • Apache Http Server 2.0.46

  • Apache Http Server 2.0.47

  • Apache Http Server 2.0.48

  • Apache Http Server 2.0.49

  • Apache Http Server 2.0.50

  • Apache Http Server 2.0.51

  • Apache Http Server 2.0.52

  • Apache Http Server 2.0.53

  • Apache Http Server 2.0.54

  • Apache Http Server 2.0.55

  • Apache Http Server 2.0.56

  • Apache Http Server 2.0.57

  • Apache Http Server 2.0.58

  • Apache Http Server 2.0.59

  • Apache Http Server 2.0.60

  • Apache Http Server 2.0.61

  • Apache Http Server 2.0.63

  • Apache Http Server 2.0.9

  • Apache Http Server 2.1

  • Apache Http Server 2.1.1

  • Apache Http Server 2.1.2

  • Apache Http Server 2.1.3

  • Apache Http Server 2.1.4

  • Apache Http Server 2.1.5

  • Apache Http Server 2.1.6

  • Apache Http Server 2.1.7

  • Apache Http Server 2.1.8

  • Apache Http Server 2.1.9

  • Apache Http Server 2.2

  • Apache Http Server 2.2.0

  • Apache Http Server 2.2.1

  • Apache Http Server 2.2.10

  • Apache Http Server 2.2.11

  • Apache Http Server 2.2.12

  • Apache Http Server 2.2.13

  • Apache Http Server 2.2.14

  • Apache Http Server 2.2.15

  • Apache Http Server 2.2.16

  • Apache Http Server 2.2.17

  • Apache Http Server 2.2.18

  • Apache Http Server 2.2.19

  • Apache Http Server 2.2.2

  • Apache Http Server 2.2.20

  • Apache Http Server 2.2.21

  • Apache Http Server 2.2.3

  • Apache Http Server 2.2.4

  • Apache Http Server 2.2.6

  • Apache Http Server 2.2.8

  • Apache Http Server 2.2.9

  • Apache Http Server 2.3.0

  • Apache Http Server 2.3.1

  • Apache Http Server 2.3.10

  • Apache Http Server 2.3.11

  • Apache Http Server 2.3.12

  • Apache Http Server 2.3.13

  • Apache Http Server 2.3.14

  • Apache Http Server 2.3.15

  • Apache Http Server 2.3.16

  • Apache Http Server 2.3.2

  • Apache Http Server 2.3.3

  • Apache Http Server 2.3.4

  • Apache Http Server 2.3.5

  • Apache Http Server 2.3.6

  • Apache Http Server 2.3.7

  • Apache Http Server 2.3.8

  • Apache Http Server 2.3.9

  • Apache Http Server 2.4.0

  • Apache Http Server 2.4.1


References

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1296428

CONFIRM - http://www.apache.org/dist/httpd/Announcement2.4.html

MLIST - [dev] 20120417 [ANNOUNCEMENT] Apache HTTP Server 2.4.2 Released

SECTRACK - 1026932

HP - HPSBUX02791

HP - SSRT100856

SECUNIA - 48849

SUSE - openSUSE-SU-2013:0248

SUSE - openSUSE-SU-2013:0243

HP - SSRT101209

HP - HPSBMU02900

CONFIRM - http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

CONFIRM - http://support.apple.com/kb/HT5880

APPLE - APPLE-SA-2013-09-12-1

Related Patches

SUN120543-30 Solaris 10 SPARC: Apache 2 Patch (Rev 2)

SUN120544-30 Solaris 10 x86: Apache 2 Patch (Rev 2)


Last Updated: 27 May 2016 10:57:30