Posted April 15, 2014
Assessed Risk Level: Medium
For Apache versions earlier than 2.4.8, the `log_cookie` function in `mod_log_config.c` in the `mod_log_config` module could allow remote attackers to cause a denial of service attack via a crafted cookie that is not properly handled during truncation.
For RHEL, SLES, CentOS, and Scientific Linux systems CVSS v2 score: 5.3 v2 Vector (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
For Debian and Ubuntu systems CVSS v2 score: 4.0 v2 Vector (AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
The variation in score is because `mod_log_config` is enabled by default on RHEL, CentOS, SLES, and Scientific Linux systems. The module is not enabled by default on Debian and Ubuntu.
- Affected Versions: Puppet Enterprise 2.x, 3.x
- Resolved in Puppet Enterprise 3.2.2, 2.8.6