[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks

Bryan Call Tue, 13 Aug 2019 13:03:43 -0700

Description:
ATS is vulnerable to various HTTP/2 attacks

CVE:
CVE-2019-9512 Ping Flood
CVE-2019-9514 Reset Flood
CVE-2019-9515 Settings Flood
CVE-2019-10079 ATS is vulnerable to malformed SETTINGS frames


Reported By:
Jonathan Looney (CVE-2019-9512, CVE-2019-9514, CVE-2019-9515)
Masakazu Kitajo (CVE-2019-10079)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.6
ATS 8.0.0 to 8.0.3

Mitigation:
Turn off HTTP/2 or upgrade ATS to a current version
6.x users should upgrade to 7.1.7, 8.0.4, or later versions
7.x users should upgrade to 7.1.7 or later versions
8.x users should upgrade to 8.0.4 or later versions

References:
        Downloads:
                https://trafficserver.apache.org/downloads
                (Please use backup sites from the link only if the mirrors are 
unavailable) 
        Github Pull Request:
                https://github.com/apache/trafficserver/pull/5820
                https://github.com/apache/trafficserver/pull/5821
                https://github.com/apache/trafficserver/pull/5822
                https://github.com/apache/trafficserver/pull/5528
        CVE:
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10079

-Bryan

[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks

Reply via email to