Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-12613

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.1, requiring local system access to exploit with relatively low complexity without requiring user interaction requiring only low-level privileges . The vulnerability impacts confidentiality (data exposure), and availability (service disruption) for affected systems. Impacting 11 products from apache, from debian, from redhat and 8 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2017, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2017-10-24T01:29:02.000

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 7.1 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:N/A:P

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

3.9

Impact Score

4.9

Weaknesses

Type: Primary
CWE-125

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	portable_runtime	< 1.7.0	Yes
Operating System	debian	debian_linux	7.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Application	redhat	jboss_core_services	-	Yes
Application	redhat	jboss_core_services	1.0	Yes
Application	redhat	jboss_enterprise_web_server	3.0.0	Yes
Application	redhat	software_collections	1.0	Yes
Operating System	redhat	enterprise_linux_desktop	6.0	Yes
Operating System	redhat	enterprise_linux_desktop	7.0	Yes
Operating System	redhat	enterprise_linux_eus	6.7	Yes
Operating System	redhat	enterprise_linux_eus	7.3	Yes
Operating System	redhat	enterprise_linux_eus	7.4	Yes
Operating System	redhat	enterprise_linux_eus	7.5	Yes
Operating System	redhat	enterprise_linux_eus	7.6	Yes
Operating System	redhat	enterprise_linux_eus	7.7	Yes
Operating System	redhat	enterprise_linux_server	6.0	Yes
Operating System	redhat	enterprise_linux_server	7.0	Yes
Operating System	redhat	enterprise_linux_server_aus	6.4	Yes
Operating System	redhat	enterprise_linux_server_aus	6.5	Yes
Operating System	redhat	enterprise_linux_server_aus	6.6	Yes
Operating System	redhat	enterprise_linux_server_aus	7.2	Yes
Operating System	redhat	enterprise_linux_server_aus	7.3	Yes
Operating System	redhat	enterprise_linux_server_aus	7.4	Yes
Operating System	redhat	enterprise_linux_server_aus	7.6	Yes
Operating System	redhat	enterprise_linux_server_aus	7.7	Yes
Operating System	redhat	enterprise_linux_server_tus	6.6	Yes
Operating System	redhat	enterprise_linux_server_tus	7.2	Yes
Operating System	redhat	enterprise_linux_server_tus	7.3	Yes
Operating System	redhat	enterprise_linux_server_tus	7.4	Yes
Operating System	redhat	enterprise_linux_server_tus	7.6	Yes
Operating System	redhat	enterprise_linux_server_tus	7.7	Yes
Operating System	redhat	enterprise_linux_workstation	6.0	Yes
Operating System	redhat	enterprise_linux_workstation	7.0	Yes

References

http://www.apache.org/dist/apr/Announcement1.x.html Release Notes, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/08/23/1 Mailing List, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/101560 Broken Link ([email protected])
http://www.securitytracker.com/id/1042004 Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2017:3270 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:3475 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:3476 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:3477 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0316 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0465 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0466 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:1253 Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E Issue Tracking, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339%40%3Ccommits.apr.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9%40%3Ccommits.apr.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html Mailing List, Third Party Advisory ([email protected])
https://svn.apache.org/viewvc?view=revision&revision=1807976 Issue Tracking, Third Party Advisory ([email protected])
http://www.apache.org/dist/apr/Announcement1.x.html Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/08/23/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/101560 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1042004 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:3270 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:3475 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:3476 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:3477 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0316 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0465 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0466 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:1253 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339%40%3Ccommits.apr.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9%40%3Ccommits.apr.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://svn.apache.org/viewvc?view=revision&revision=1807976 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For apache's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.