CVE-2021-35940 – CVE-2021-35940 is an out-of-bounds read vulnera... (How to Fix)

📋 TL;DR

CVE-2021-35940 is an out-of-bounds read vulnerability in Apache Portable Runtime (APR) 1.7.x branch that allows reading memory beyond allocated array boundaries. This affects systems using APR 1.7.0 specifically, as the fix from APR 1.6.3 was not properly carried forward. The vulnerability could lead to information disclosure or application crashes.

💻 Affected Systems

Products:

Apache Portable Runtime (APR)

Versions: APR 1.7.0 only (specifically vulnerable due to regression from 1.6.3 fix)

Operating Systems: All operating systems where APR 1.7.0 is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects APR 1.7.0 specifically. APR 1.6.x with CVE-2017-12613 fix is not vulnerable. Applications must use the affected apr_time_exp*() functions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to memory content leakage, potentially exposing sensitive data or cryptographic keys, followed by application crash causing denial of service.

🟠

Likely Case

Application instability or crashes when processing malformed time data, leading to denial of service conditions.

🟢

If Mitigated

Limited impact if proper input validation and memory protection mechanisms are in place, potentially just causing application errors.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions and malformed input, but internet-facing services using APR could be targeted.

🏢 Internal Only: LOW - Internal systems are less likely to receive maliciously crafted time data unless from compromised internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific time data to trigger the out-of-bounds read. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: APR 1.7.0 with patch applied or upgrade to APR 1.7.x versions after the fix

Vendor Advisory: http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E

Restart Required: Yes

Instructions:

1. Apply the official patch from https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
2. Recompile and reinstall APR
3. Restart all services using APR
4. Alternatively, upgrade to a fixed APR version

🔧 Temporary Workarounds

Input validation wrapper

all

Implement input validation for time data before passing to APR functions

🧯 If You Can't Patch

Implement strict input validation for all time-related data passed to APR functions
Monitor application logs for crashes or abnormal behavior related to time processing

🔍 How to Verify

Check if Vulnerable:

Check APR version: apr-1-config --version. If output shows 1.7.0, check if patch has been applied by examining source code or checking patch status.

Check Version:

apr-1-config --version

Verify Fix Applied:

Verify APR version is not 1.7.0 or confirm patch has been applied. Test with known malformed time inputs to ensure no crashes occur.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Error messages related to apr_time_exp functions
Unexpected memory access errors

Network Indicators:

Unusual patterns of time-related requests to services using APR

SIEM Query:

Search for application crashes containing 'apr_time_exp' or 'segmentation fault' in logs from systems running APR 1.7.0

📊 Metadata

CVE ID: CVE-2021-35940

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: August 23, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35940, you might also want to check these: