[ANNOUNCE] Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks

Bryan Call Tue, 02 Nov 2021 14:00:35 -0700

Description:
ATS is vulnerable to various smuggle, DOS, and validation attacks


CVE (8.1.x and 9.1.x):
CVE-2021-37147 Request Smuggling - LF line ending
CVE-2021-37148 Request Smuggling - transfer encoding validation
CVE-2021-37149 Request Smuggling - multiple attacks
CVE-2021-41585 ATS stops accepting connections on FreeBSD
CVE-2021-43082 heap-buffer-overflow with stats-over-http plugin

CVE (8.1.x):
CVE-2021-38161 Not validating origin TLS certificate

Reported By:
Mattias Grenfeldt and Asta Olofsson (CVE-2021-37147, CVE-2021-37148, 
CVE-2021-37149)
Asbjorn Bjornstad (CVE-2021-41585)
Masaori Koshiba (CVE-2021-43082)
Robert Butts (CVE-2021-38161)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 8.0.0 to 8.1.2
ATS 9.0.0 to 9.1.0

Mitigation:
8.x users should upgrade to 8.1.3 or later versions
9.x users should upgrade to 9.1.1 or later versions

References:
        Downloads:
                https://trafficserver.apache.org/downloads
                (Please use backup sites from the link only if the mirrors are 
unavailable)
        CVE:
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37147
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37148
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37149
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41585
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43082
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38161

-Bryan



-Bryan

[ANNOUNCE] Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks

Reply via email to