Potential Security Vulnerability CVE-2014-0231

Version 1

    Verified Product Versions

    AppSense DataNow 3.6AppSense DataNow 3.5AppSense DataNow 3.0AppSense DataNow 2.0AppSense Insight 1.3AppSense Insight 1.4

    Introduction

    A Security scan may falsely indicate a potential vulnerability against DataNow / Insight appliances with reference CVE-2014-0231

    Detail

    Vulnerability Summary for CVE-2014-0231

    Original release date: 07/20/2014

    Last revised: 04/14/2015

    Source: US-CERT/NIST

    Overview

    The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

    Impact CVSS Severity (version 2.0):

    CVSS v2 Base Score:  5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)

    Impact Subscore: 2.9

    Exploitability Subscore: 10.0

    CVSS Version 2 Metrics:

    Access Vector: Network exploitable

    Access Complexity: Low

    Authentication: Not required to exploit

    Impact Type: Allows disruption of service

    This false positive is reported by some vulnerability scanners because the mod_cgid apache module is vulnerable in versions of Apache prior to 2.4.10.

    This module is not loaded in the Apache configuratiuon for DataNow.

    This false positive can be safely ignored.