CVE-2023-49582: 
Alma Linux vulnerability analysis and mitigation

CVE-2023-49582 affects the Apache Portable Runtime (APR) library versions 0.9.0 through 1.7.4. The vulnerability stems from lax permissions set on Unix platforms that allow local users to read named shared memory segments, potentially exposing sensitive application data. This security issue was discovered in February 2023 and publicly disclosed in August 2024. The vulnerability does not affect non-Unix platforms or builds with APRUSESHMEM_SHMGET=1 (Apache List, OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The vulnerability specifically affects the shared memory segment permissions on Unix platforms, where the APR library fails to set appropriate access restrictions (NVD, Red Hat).

The primary impact of this vulnerability is the potential disclosure of sensitive application data. Local users can gain read access to named shared memory segments, which may contain confidential information. The vulnerability only affects confidentiality, with no impact on system integrity or availability (Red Hat).

Users are recommended to upgrade to APR version 1.7.5, which contains the fix for this vulnerability. For systems that cannot be immediately upgraded, using builds with APRUSESHMEMSHMGET=1, which use the SysV IPC shmget function instead of POSIX shmopen function, provides an alternative mitigation (OSS Security, Red Hat).