Security Bulletin
Summary
Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_log_config module.
Vulnerability Details
CVE-ID: CVE-2014-0098
DESCRIPTION: IBM Tealeaf Customer Experience’s PCA uses the Apache HTTP server to render its web console. Apache HTTP server is vulnerable to a denial of service caused by an error in the mod_log_config module.The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91879
CVSS Environcomental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
IBM Tealeaf Customer Experience v8.0-v8.8
Remediation/Fixes
Product | VRMF | Remediation/First Fix |
IBM Tealeaf Customer Experience | 8.8 | https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.8_IBMTealeaf_PCA-3625-4_SecurityRollup_FixPack |
IBM Tealeaf Customer Experience | 8.7 | https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=8.7_IBMTealeaf_PCA-3615-4_SecurityRollup_FixPack |
IBM Tealeaf Customer Experience | 8.6 and earlier | You can contact the Technical Support team for guidance. |
Workarounds and Mitigations
Customers can disable the PCA web console until mod_log_configure.so is updated to the version that fixes the vulnerability. If customers choose to disable the PCA web console, they can manually configure it by editing the Passive Capture Configuration and the Privacy Rules Configuration files as described below.
To disable the PCA web management console from starting up:
Refer to Disabling Web Server for the Web Console section in Passive Capture Guide.pdf
- The basic steps are:
- From command line, enter the command:
tealeaf disable httpd
- Restart the PCA, enter the command:
tealeaf restart all
- A message is displayed indicating the web management console is disabled:
tealeaf: notice: httpd is disabled.
Manual Configuration
For manual configuration, refer to the following sections in the PCA manual:
- For the configuration file:
See section entitled: Passive Capture Configuration File
For privacy rules file:
See section entitled: PCA Web Console - Rules Tab
The actual rules format is detailed at the top of the configuration file itself.
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
10 June 2016: Update Fix Central links.
11 August 2014: Details added about disabling PCA web management console ("Workarounds and Mitigations" section only).
08 May 2014: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21672603