You are here

Apache httpd: mod_log_config and mod_dav vulnerabilities

IDs: 
CVE-2013-6438, CVE-2014-0098
Keywords: 
httpd, mod_dav, mod_log_config
Description: 

Two Apache HTTP Server vulnerabilities affecting the modules mod_log_config and mod_dav in version prior 2.4.9 has been released. Airlock is not affected. Details:

CVE-2014-0098 (mod_log_config)

A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie causing Apache httpd to crash.

Airlock is not affected because cookie logging is not active in httpd.

CVE-2013-6438 (mod_dav)

A remote user can send specially crafted DAV WRITE requests to trigger a flaw in mod_dav in the processing of spaces within CDATA and cause the target service to crash.

Airlock itself is not vulnerable since mod_dav is not used.

To protect back-end servers, Airlock includes restrictive default allow rules (whitelist rules). Those default rules are preventing the use of WEBDAV commands. An integrator has to allow those commands explicitly. For this reason back-end servers are not exploitable by default. The Airlock configuration scheme using path-based mappings leads the administrator to a secure configuration where DAV commands are only allowed on paths where they are needed.

Resolution: 

The default configuration of Airlock secures back-end servers. No action is required. Nevertheless we recommend to update known vulnerable sofware anyway: update Apache HTTP servers with activated mod_dav functionality to version >= 2.2.27 or version >= 2.4.9 respectively.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock