製品・ソフトウェアに関する情報

JVN脆弱性詳細

Windows 上で稼動する Apache Portable Runtime における境界外書き込みに関する脆弱性

Title	Windows 上で稼動する Apache Portable Runtime における境界外書き込みに関する脆弱性
Summary	Windows 上で稼動する Apache Portable Runtime には、境界外書き込みに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 31, 2023, midnight
Registration Date	June 21, 2023, 2:52 p.m.
Last Update	Sept. 27, 2023, 2:20 p.m.

CVSS3.0 : 緊急
Score	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected System

Apache Software Foundation

Apache Portable Runtime Utility 1.7.0 およびそれ以前

日立

Cosminexus HTTP Server

Hitachi Application Server

Hitachi Application Server for Developers

Hitachi Configuration Manager

Hitachi Device Manager

Hitachi Ops Center API Configuration Manager

Hitachi Web Server

Hitachi Web Server - Custom Edition

uCosminexus Application Server

uCosminexus Application Server Enterprise

uCosminexus Application Server Express

uCosminexus Application Server Smart Edition

uCosminexus Application Server Standard

uCosminexus Application Server Standard-R

uCosminexus Application Server-R

uCosminexus Developer

uCosminexus Developer 01

uCosminexus Developer Light

uCosminexus Developer Professional

uCosminexus Developer Professional for ATM

uCosminexus Developer Professional for Plug-in

uCosminexus Developer Standard

uCosminexus Primary Server Base

uCosminexus Service Architect

uCosminexus Service Platform

uCosminexus Service Platform - Messaging

プログラミング環境 for Java

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-28331	https://www.cve.org/CVERecord?id=CVE-2022-28331
National Vulnerability Database (NVD)
2	CVE-2022-28331	https://nvd.nist.gov/vuln/detail/CVE-2022-28331
Pony Mail
3	CVE-2022-28331: Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function	https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	Name	URL
Hitachi Software Vulnerability Information
1	hitachi-sec-2023-122	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-122/index.html
2	hitachi-sec-2023-138	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-138/index.html
ソフトウェア製品セキュリティ情報
3	hitachi-sec-2023-122	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2023-122/index.html
4	hitachi-sec-2023-138	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2023-138/index.html

Change Log

No	Changed Details	Date of change
1	[2023年06月21日] 掲載	June 21, 2023, 2:52 p.m.
2	[2023年09月27日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2023-138) を追加	Sept. 27, 2023, 11:25 a.m.

NVD Vulnerability Information

CVE-2022-28331

Summary	On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.
Publication Date	Feb. 1, 2023, 1:15 a.m.
Registration Date	Feb. 1, 2023, 10 a.m.
Last Update	Nov. 21, 2024, 3:57 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:portable_runtime::::::::			1.7.0
execution environment
1	cpe:2.3:o:microsoft:windows:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r		Mailing List Vendor Advisory
2	https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r		Mailing List Vendor Advisory

Common Vulnerabilities List