Description: ATS is vulnerable to a HTTP/2 and s3 auth plugin attacks CVE: CVE-2023-44487 - HTTP/2 Rapid Reset CVE-2023-41752 - s3_auth plugin exposes AWSAccessKeyId CVE-2023-39456 - Malformed HTTP/2 frames can cause an abort
Reported By: Masakazu Kitajo (CVE-2023-41752) Akshat Parikh (CVE-2023-39456) Vendor: The Apache Software Foundation Version Affected: ATS 8.0.0 to 8.1.8 ATS 9.0.0 to 9.2.2 Mitigation: 8.x users should upgrade to 8.1.9 or later versions 9.x users should upgrade to 9.2.3 or later versions Users can also disable HTTP/2. There is a new plugin released that will help with blocking users are abusing the HTTP/2 protocol called block_errors: https://docs.trafficserver.apache.org/admin-guide/plugins/block_errors.en.html CVE: https://www.cve.org/CVERecord?id=CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-39456 -Bryan
