Is there any resolution for CVE-2013-6438 and CVE-2014-0098?

Solution Verified - Updated -


  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • Red Hat Software Collections (RHSCL) 1.1
  • EAP-6.2.1, EAP-6.2.2, EAP-6.3.0
  • Red Hat JBoss Web Server 2.0.1




Affected Products

Product/Channel Errata Fixed in package
Red Hat Enterprise Linux 6 RHSA-2014-0370 httpd-2.2.15-30.el6_5
Red Hat Enterprise Linux 5 RHSA-2014-0369 httpd-2.2.3-84.el5_10
JBoss Enterprise Application Platform 6 EAP-6.3.0 EAP one-off release
JBoss Enterprise Web Server 2.0.1 RHSA-2014-0783 httpd-2.2.22-27.ep6.el5
Red Hat Software Collections 1.1 RHSA-2014-0611 httpd24-1.1-4

Root Cause

  • It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the
    "apache" user. (CVE-2013-6438)

  • A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled (on Red Hat Enterprise
    Linux it is disabled by default), a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie
    header. (CVE-2014-0098)

  • All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the
    updated packages, the httpd daemon will be restarted automatically.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.