Description:
ATS is vulnerable to a HTTP/2 attack with empty frames
CVE:
CVE-2019-9518 Empty Frames Flood
Reported By:
Piotr Sikora
Vendor:
The Apache Software Foundation
Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.6
ATS 8.0.0 to 8.0.3
Mitigation:
Turn off HTTP/2 or upgrade ATS to a current version
6.x users should upgrade to 7.1.8, 8.0.5, or later versions
7.x users should upgrade to 7.1.8 or later versions
8.x users should upgrade to 8.0.5 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are
unavailable)
Github Pull Request:
https://github.com/apache/trafficserver/pull/5850
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
-Bryan
