Apache HTTP Server is vulnerable to a denial of service, caused by an error in the mod_log_config module.
CVE-ID:CVE-2014-0098
DESCRIPTION: IBM Tealeaf Customer Experience’s PCA uses the Apache HTTP server to render its web console. Apache HTTP server is vulnerable to a denial of service caused by an error in the mod_log_config module.The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91879
CVSS Environcomental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM Tealeaf Customer Experience v8.0-v8.8
Product
|
VRMF
|
Remediation/First Fix
—|—|—
IBM Tealeaf Customer Experience
|
8.8
IBM Tealeaf Customer Experience
|
8.7
IBM Tealeaf Customer Experience
|
8.6 and earlier
| You can contact the Technical Support team for guidance.
For versions before v8.7, IBM recommends upgrading to a later supported version of the product.
Customers can disable the PCA web console until mod_log_configure.so is updated to the version that fixes the vulnerability. If customers choose to disable the PCA web console, they can manually configure it by editing the Passive Capture Configuration and the Privacy Rules Configuration files as described below.
To disable the PCA web management console from starting up:
Refer to Disabling Web Server for the Web Console section in Passive Capture Guide.pdf
The basic steps are:
- From command line, enter the command:
tealeaf disable httpd
- Restart the PCA, enter the command: tealeaf restart all
- A message is displayed indicating the web management console is disabled:
tealeaf: notice: httpd is disabled.
Manual Configuration
For manual configuration, refer to the following sections in the PCA manual:
For the configuration file:
See section entitled: _Passive Capture Configuration File _
For privacy rules file:
See section entitled: PCA Web Console - Rules Tab
The actual rules format is detailed at the top of the configuration file itself.