{ "threat_severity" : "Moderate", "public_date" : "2023-01-31T00:00:00Z", "bugzilla" : { "description" : "apr: integer overflow/wraparound in apr_encode", "id" : "2169465", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2169465" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.", "A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer." ], "statement" : "Versions of \"apr-util\" shipped with Red Hat Enterprise Linux-6, 7, 8, and 9 are not affected. \"apr_encode_*\" API, which contains the affected code was added in apr-utils v1.7.0, whereas, RHEL ships apr-util v1.6.1 and lower.", "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2023-08-15T00:00:00Z", "advisory" : "RHSA-2023:4629", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-apr-0:1.7.0-8.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2023-08-15T00:00:00Z", "advisory" : "RHSA-2023:4629", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.7.0-8.el7jbcs" }, { "product_name" : "JWS 5.7.4 release", "release_date" : "2023-09-04T00:00:00Z", "advisory" : "RHSA-2023:4910", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package" : "apr" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-11T00:00:00Z", "advisory" : "RHSA-2023:7711", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "apr-0:1.7.0-12.el9_3" }, { "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date" : "2023-09-04T00:00:00Z", "advisory" : "RHSA-2023:4909", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package" : "jws5-tomcat-native-0:1.2.31-15.redhat_15.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date" : "2023-09-04T00:00:00Z", "advisory" : "RHSA-2023:4909", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package" : "jws5-tomcat-native-0:1.2.31-15.redhat_15.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date" : "2023-09-04T00:00:00Z", "advisory" : "RHSA-2023:4909", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package" : "jws5-tomcat-native-0:1.2.31-15.redhat_15.el9jws" }, { "product_name" : "Text-Only JBCS", "release_date" : "2023-08-15T00:00:00Z", "advisory" : "RHSA-2023:4628", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "jbcs-httpd24-apr" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "apr", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "apr-util", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "apr", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "apr-util", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "apr", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "apr-util", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "apr-util", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-24963\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24963\nhttps://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9" ], "name" : "CVE-2022-24963", "csaw" : false }