IBM Support

Security Bulletin: IBM Tealeaf Customer Experience is affected by a vulnerability in the Apache HTTP server, caused by an error in the mod_log_config module (CVE-2014-0098)

Security Bulletin


Summary

Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_log_config module.

Vulnerability Details

CVE-ID: CVE-2014-0098

DESCRIPTION: IBM Tealeaf Customer Experience’s PCA uses the Apache HTTP server to render its web console. Apache HTTP server is vulnerable to a denial of service caused by an error in the mod_log_config module.The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.


CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91879

CVSS Environcomental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

IBM Tealeaf Customer Experience v8.0-v8.8

Remediation/Fixes

For versions before v8.7, IBM recommends upgrading to a later supported version of the product.

Workarounds and Mitigations

Customers can disable the PCA web console until mod_log_configure.so is updated to the version that fixes the vulnerability. If customers choose to disable the PCA web console, they can manually configure it by editing the Passive Capture Configuration and the Privacy Rules Configuration files as described below.

To disable the PCA web management console from starting up:
Refer to Disabling Web Server for the Web Console section in Passive Capture Guide.pdf

    The basic steps are:
    - From command line, enter the command:
    tealeaf disable httpd
    - Restart the PCA, enter the command:
    tealeaf restart all

    - A message is displayed indicating the web management console is disabled:
    tealeaf: notice: httpd is disabled.

Manual Configuration
For manual configuration, refer to the following sections in the PCA manual:

    For the configuration file:
    See section entitled: Passive Capture Configuration File

    For privacy rules file:
    See section entitled: PCA Web Console - Rules Tab
    The actual rules format is detailed at the top of the configuration file itself.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

10 June 2016: Update Fix Central links.
11 August 2014: Details added about disabling PCA web management console ("Workarounds and Mitigations" section only).
08 May 2014: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Tealeaf Customer Experience

Software version: Version Independent

Operating system(s): Platform Independent

Reference #: 1672603

Modified date: 11 August 2014