CVE-2014-0098 - The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server b

CVE-2014-0098

Summary

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.15-60:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.15-60:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:4.71:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:4.71:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:4.63:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:4.63:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:10.1.3.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:10.1.3.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.1:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

CVSS

Base:	5.0 (as of 14-09-2022 - 19:52)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

redhat via4

advisories

bugzilla

id	1077871
title	CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment httpd is earlier than 0:2.2.3-85.el5_10
oval oval:com.redhat.rhsa:tst:20140369001
comment httpd is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070556002
AND
comment httpd-devel is earlier than 0:2.2.3-85.el5_10
oval oval:com.redhat.rhsa:tst:20140369003
comment httpd-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070556004
AND
comment httpd-manual is earlier than 0:2.2.3-85.el5_10
oval oval:com.redhat.rhsa:tst:20140369005
comment httpd-manual is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070556006
AND
comment mod_ssl is earlier than 1:2.2.3-85.el5_10
oval oval:com.redhat.rhsa:tst:20140369007
comment mod_ssl is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070556008

rhsa

id	RHSA-2014:0369
released	2014-04-03
severity	Moderate
title	RHSA-2014:0369: httpd security update (Moderate)

bugzilla

id	1077871
title	CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND
comment httpd is earlier than 0:2.2.15-30.el6_5
oval oval:com.redhat.rhsa:tst:20140370001
comment httpd is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194002
AND
comment httpd-devel is earlier than 0:2.2.15-30.el6_5
oval oval:com.redhat.rhsa:tst:20140370003
comment httpd-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194004

AND

comment httpd-manual is earlier than 0:2.2.15-30.el6_5
oval oval:com.redhat.rhsa:tst:20140370005
comment httpd-manual is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194006

AND
comment httpd-tools is earlier than 0:2.2.15-30.el6_5
oval oval:com.redhat.rhsa:tst:20140370007
comment httpd-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194008
AND
comment mod_ssl is earlier than 1:2.2.15-30.el6_5
oval oval:com.redhat.rhsa:tst:20140370009
comment mod_ssl is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194016

rhsa

id	RHSA-2014:0370
released	2014-04-03
severity	Moderate
title	RHSA-2014:0370: httpd security update (Moderate)

rpms

httpd-0:2.2.3-85.el5_10
httpd-debuginfo-0:2.2.3-85.el5_10
httpd-devel-0:2.2.3-85.el5_10
httpd-manual-0:2.2.3-85.el5_10
mod_ssl-1:2.2.3-85.el5_10
httpd-0:2.2.15-30.el6_5
httpd-debuginfo-0:2.2.15-30.el6_5
httpd-devel-0:2.2.15-30.el6_5
httpd-manual-0:2.2.15-30.el6_5
httpd-tools-0:2.2.15-30.el6_5
mod_ssl-1:2.2.15-30.el6_5
httpd-0:2.2.22-27.ep6.el5
httpd-0:2.2.22-27.ep6.el6
httpd-debuginfo-0:2.2.22-27.ep6.el5
httpd-debuginfo-0:2.2.22-27.ep6.el6
httpd-devel-0:2.2.22-27.ep6.el5
httpd-devel-0:2.2.22-27.ep6.el6
httpd-manual-0:2.2.22-27.ep6.el5
httpd-manual-0:2.2.22-27.ep6.el6
httpd-tools-0:2.2.22-27.ep6.el5
httpd-tools-0:2.2.22-27.ep6.el6
mod_ssl-1:2.2.22-27.ep6.el5
mod_ssl-1:2.2.22-27.ep6.el6
httpd-0:2.2.22-27.ep6.el5
httpd-0:2.2.22-27.ep6.el6
httpd-debuginfo-0:2.2.22-27.ep6.el5
httpd-debuginfo-0:2.2.22-27.ep6.el6
httpd-devel-0:2.2.22-27.ep6.el5
httpd-devel-0:2.2.22-27.ep6.el6
httpd-tools-0:2.2.22-27.ep6.el5
httpd-tools-0:2.2.22-27.ep6.el6
mod_ssl-1:2.2.22-27.ep6.el5
mod_ssl-1:2.2.22-27.ep6.el6

refmap via4

apple	APPLE-SA-2014-10-16-1 APPLE-SA-2015-04-08-2
bid	66303
bugtraq	20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm	http://advisories.mageia.org/MGASA-2014-0135.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698 http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15320.html http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?r1=1575394&r2=1575400&diff_format=h http://www-01.ibm.com/support/docview.wss?uid=swg21668973 http://www-01.ibm.com/support/docview.wss?uid=swg21676091 http://www-01.ibm.com/support/docview.wss?uid=swg21676092 http://www.apache.org/dist/httpd/CHANGES_2.4.9 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.vmware.com/security/advisories/VMSA-2014-0012.html https://blogs.oracle.com/sunsecurity/entry/multiple_input_validation_vulnerabilities_in1 https://httpd.apache.org/security/vulnerabilities_24.html https://puppet.com/security/cve/cve-2014-0098 https://support.apple.com/HT204659 https://support.apple.com/kb/HT6535
fulldisc	20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
gentoo	GLSA-201408-12
hp	HPSBUX03102 HPSBUX03150 SSRT101681
mlist	[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
secunia	58230 58915 59219 59315 59345 60536
ubuntu	USN-2152-1

Last major update

14-09-2022 - 19:52

Published

18-03-2014 - 05:18

Last modified

14-09-2022 - 19:52