Security Bulletin: IBM Tealeaf Customer Experience is affected by a vulnerability in the Apache HTTP server, caused by an error in the mod_log

Security Bulletin

Summary

Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_log_config module.

Vulnerability Details

CVE-ID: CVE-2014-0098

DESCRIPTION: IBM Tealeaf Customer Experience’s PCA uses the Apache HTTP server to render its web console. Apache HTTP server is vulnerable to a denial of service caused by an error in the mod_log_config module.The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91879

CVSS Environcomental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM Tealeaf Customer Experience v8.0-v8.8

Remediation/Fixes

Product	VRMF	Remediation/First Fix
IBM Tealeaf Customer Experience	8.8	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8_IBMTealeaf_PCA-3625-4_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	8.7	`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7_IBMTealeaf_PCA-3615-4_SecurityRollup_FixPack`
IBM Tealeaf Customer Experience	8.6 and earlier	You can contact the Technical Support team for guidance.

For versions before v8.7, IBM recommends upgrading to a later supported version of the product.

Workarounds and Mitigations

Customers can disable the PCA web console until mod_log_configure.so is updated to the version that fixes the vulnerability. If customers choose to disable the PCA web console, they can manually configure it by editing the Passive Capture Configuration and the Privacy Rules Configuration files as described below.

To disable the PCA web management console from starting up:
Refer to Disabling Web Server for the Web Console section in Passive Capture Guide.pdf

tealeaf disable httpd

tealeaf restart all

Manual Configuration
For manual configuration, refer to the following sections in the PCA manual:

For the configuration file:

Passive Capture Configuration File

For privacy rules file:

PCA Web Console - Rules Tab

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Acknowledgement

None

Change History

10 June 2016: Update Fix Central links.
11 August 2014: Details added about disabling PCA web management console ("Workarounds and Mitigations" section only).
08 May 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSERNK","label":"Tealeaf Customer Experience"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}}]

Tips

Security Bulletin: IBM Tealeaf Customer Experience is affected by a vulnerability in the Apache HTTP server, caused by an error in the mod_log_config module (CVE-2014-0098)