CVE-2014-0098 (Apache vulnerability in config module could allow denial of service attacks via cookies)
Posted April 15, 2014
Assessed Risk Level: Medium
For RHEL, SLES, CentOS, and Scientific Linux systems CVSS v2 score: 5.3 v2 Vector (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
For Debian and Ubuntu systems CVSS v2 score: 4.0 v2 Vector (AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
The variation in score is because `mod_log_config` is enabled by default on RHEL, CentOS, SLES, and Scientific Linux systems. The module is not enabled by default on Debian and Ubuntu.
- Affected Versions: Puppet Enterprise 2.x, 3.x
- Resolved in Puppet Enterprise 3.2.2, 2.8.6