ID CVE-2014-0098
Summary The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.15-60:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.15-60:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:secure_global_desktop:4.71:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:secure_global_desktop:4.71:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:http_server:12.1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:http_server:12.1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:secure_global_desktop:4.63:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:secure_global_desktop:4.63:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:http_server:12.1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:http_server:12.1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:http_server:11.1.1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:http_server:11.1.1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:http_server:10.1.3.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:http_server:10.1.3.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:secure_global_desktop:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:secure_global_desktop:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:secure_global_desktop:5.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:secure_global_desktop:5.1:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
CVSS
Base: 5.0 (as of 14-09-2022 - 19:52)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1077871
    title CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • comment httpd is earlier than 0:2.2.3-85.el5_10
            oval oval:com.redhat.rhsa:tst:20140369001
          • comment httpd is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070556002
        • AND
          • comment httpd-devel is earlier than 0:2.2.3-85.el5_10
            oval oval:com.redhat.rhsa:tst:20140369003
          • comment httpd-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070556004
        • AND
          • comment httpd-manual is earlier than 0:2.2.3-85.el5_10
            oval oval:com.redhat.rhsa:tst:20140369005
          • comment httpd-manual is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070556006
        • AND
          • comment mod_ssl is earlier than 1:2.2.3-85.el5_10
            oval oval:com.redhat.rhsa:tst:20140369007
          • comment mod_ssl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070556008
    rhsa
    id RHSA-2014:0369
    released 2014-04-03
    severity Moderate
    title RHSA-2014:0369: httpd security update (Moderate)
  • bugzilla
    id 1077871
    title CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment httpd is earlier than 0:2.2.15-30.el6_5
            oval oval:com.redhat.rhsa:tst:20140370001
          • comment httpd is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152194002
        • AND
          • comment httpd-devel is earlier than 0:2.2.15-30.el6_5
            oval oval:com.redhat.rhsa:tst:20140370003
          • comment httpd-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152194004
        • AND
          • comment httpd-manual is earlier than 0:2.2.15-30.el6_5
            oval oval:com.redhat.rhsa:tst:20140370005
          • comment httpd-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152194006
        • AND
          • comment httpd-tools is earlier than 0:2.2.15-30.el6_5
            oval oval:com.redhat.rhsa:tst:20140370007
          • comment httpd-tools is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152194008
        • AND
          • comment mod_ssl is earlier than 1:2.2.15-30.el6_5
            oval oval:com.redhat.rhsa:tst:20140370009
          • comment mod_ssl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20152194016
    rhsa
    id RHSA-2014:0370
    released 2014-04-03
    severity Moderate
    title RHSA-2014:0370: httpd security update (Moderate)
rpms
  • httpd-0:2.2.3-85.el5_10
  • httpd-debuginfo-0:2.2.3-85.el5_10
  • httpd-devel-0:2.2.3-85.el5_10
  • httpd-manual-0:2.2.3-85.el5_10
  • mod_ssl-1:2.2.3-85.el5_10
  • httpd-0:2.2.15-30.el6_5
  • httpd-debuginfo-0:2.2.15-30.el6_5
  • httpd-devel-0:2.2.15-30.el6_5
  • httpd-manual-0:2.2.15-30.el6_5
  • httpd-tools-0:2.2.15-30.el6_5
  • mod_ssl-1:2.2.15-30.el6_5
  • httpd-0:2.2.22-27.ep6.el5
  • httpd-0:2.2.22-27.ep6.el6
  • httpd-debuginfo-0:2.2.22-27.ep6.el5
  • httpd-debuginfo-0:2.2.22-27.ep6.el6
  • httpd-devel-0:2.2.22-27.ep6.el5
  • httpd-devel-0:2.2.22-27.ep6.el6
  • httpd-manual-0:2.2.22-27.ep6.el5
  • httpd-manual-0:2.2.22-27.ep6.el6
  • httpd-tools-0:2.2.22-27.ep6.el5
  • httpd-tools-0:2.2.22-27.ep6.el6
  • mod_ssl-1:2.2.22-27.ep6.el5
  • mod_ssl-1:2.2.22-27.ep6.el6
  • httpd-0:2.2.22-27.ep6.el5
  • httpd-0:2.2.22-27.ep6.el6
  • httpd-debuginfo-0:2.2.22-27.ep6.el5
  • httpd-debuginfo-0:2.2.22-27.ep6.el6
  • httpd-devel-0:2.2.22-27.ep6.el5
  • httpd-devel-0:2.2.22-27.ep6.el6
  • httpd-tools-0:2.2.22-27.ep6.el5
  • httpd-tools-0:2.2.22-27.ep6.el6
  • mod_ssl-1:2.2.22-27.ep6.el5
  • mod_ssl-1:2.2.22-27.ep6.el6
refmap via4
apple
  • APPLE-SA-2014-10-16-1
  • APPLE-SA-2015-04-08-2
bid 66303
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
gentoo GLSA-201408-12
hp
  • HPSBUX03102
  • HPSBUX03150
  • SSRT101681
mlist
  • [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
secunia
  • 58230
  • 58915
  • 59219
  • 59315
  • 59345
  • 60536
ubuntu USN-2152-1
Last major update 14-09-2022 - 19:52
Published 18-03-2014 - 05:18
Last modified 14-09-2022 - 19:52
Back to Top