You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Bryan Call <bc...@yahoo-inc.com.INVALID> on 2014/07/23 17:26:39 UTC
[ANNOUNCE] Apache Traffic Server releases for security incident CVE-2014-3525
Everyone,
Below is our announcement for the security issue reported to us from
Yahoo! Japan. All versions of Apache Traffic Server are vulnerable.
We urge users to upgrade to either 4.2.1.1 or 5.0.1 immediately. There
is also a patch for 3.2.5 located under the patches directory and there
are no further releases of 3.2.x.
The artifacts are available for download at:
https://dist.apache.org/repos/dist/release/trafficserver/
-rw-r--r-- 1 bcall bcall 7440366 Jul 23 01:50 trafficserver-5.0.1.tar.bz2
-rw-r--r-- 1 bcall bcall 819 Jul 23 01:51 trafficserver-5.0.1.tar.bz2.asc
-rw-r--r-- 1 bcall bcall 62 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.md5
-rw-r--r-- 1 bcall bcall 70 Jul 23 01:50 trafficserver-5.0.1.tar.bz2.sha1
MD5: 76d5d7fea7ab1e3e1a09169ad0941767
SHA1: 13e6810ed7ad36b66e9dd0b3394fd059062a1f93
-rw-r--r-- 1 bcall bcall 6686865 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2
-rw-r--r-- 1 bcall bcall 819 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.asc
-rw-r--r-- 1 bcall bcall 64 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.md5
-rw-r--r-- 1 bcall bcall 72 Jul 23 02:01 trafficserver-4.2.1.1.tar.bz2.sha1
MD5: 7d154544c4953973570b4713a78cb0cb
SHA1: 1cd542a52ac7ed71ae95ec40d0076c45df0c5f27
This fixes CVE-2014-3525 and limits access to how the heath checks
are performed.
We like to thank everyone involved with reporting and working on this
incident.
Sincerely,
-- Bryan, on behalf of the Apache Traffic Server community
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.07.2014 11:41, schrieb Jan-Frode Myklebust:
> On Thu, Jul 24, 2014 at 11:26:50AM +0200, Reindl Harald wrote:
>>
>>> Is there any information available about this problem, so that we can make
>>> a judgement on criticality of the upgrade?
>>
>> in case of such security anncouncements there is not much to judge
>> it is a bugfix-only release and should already be deployed
>
> There are testing and procedures involved in doing changes to core
> services like ATS in our company. Can't just upgrade willy-nilly..
me too, automated
if testing procedures delay deployment for security related
bugfix-only updates for days they do more harm as anything
else - the bigger the company the more problems of that
sort - root cause is that nobody wants to take responsibility
>>> Any reason to believe a properly firewalled trafficserver (only incoming
>>> 80/tcp and 443/tcp allowed) should be remotely exploitable?
>>
>> surely because that is a expected setup and the nature of
>> a vulerability is to gain more rights as should be possible
>
> Did you read the patch? Looks to me like it's just a change of
> listening on ANY:8083 to LOOPBACK:8083 for some service, which
> doesn't seem like much a change for a firewalled host.. Unless I'm
> missing something..
not so sure!
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index 43eff68..40f7ae0 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -775,11 +775,16 @@ HttpTransact::StartRemapRequest(State* s)
int host_len, path_len;
const char *host = url->host_get(&host_len);
const char *path = url->path_get(&path_len);
+ const int port = url->port_get();
const char syntxt[] = "synthetic.txt";
s->cop_test_page = (ptr_len_cmp(host, host_len, local_host_ip_str, sizeof(local_host_ip_str) - 1) == 0) &&
- (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0);
+ (ptr_len_cmp(path, path_len, syntxt, sizeof(syntxt) - 1) == 0) &&
+ port == s->http_config_param->autoconf_port &&
+ s->method == HTTP_WKSIDX_GET &&
+ s->orig_scheme == URL_WKSIDX_HTTP &&
+ (!s->http_config_param->autoconf_localhost_only || ats_ip4_addr_cast(&s->client_info.addr.sa) ==
htonl(INADDR_LOOPBACK));
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Thu, Jul 24, 2014 at 11:26:50AM +0200, Reindl Harald wrote:
>
> > Is there any information available about this problem, so that we can make
> > a judgement on criticality of the upgrade?
>
> in case of such security anncouncements there is not much to judge
> it is a bugfix-only release and should already be deployed
There are testing and procedures involved in doing changes to core
services like ATS in our company. Can't just upgrade willy-nilly..
>
> > Any reason to believe a properly firewalled trafficserver (only incoming
> > 80/tcp and 443/tcp allowed) should be remotely exploitable?
>
> surely because that is a expected setup and the nature of
> a vulerability is to gain more rights as should be possible
Did you read the patch? Looks to me like it's just a change of
listening on ANY:8083 to LOOPBACK:8083 for some service, which
doesn't seem like much a change for a firewalled host.. Unless I'm
missing something..
-jf
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.07.2014 11:10, schrieb Jan-Frode Myklebust:
> On Wed, Jul 23, 2014 at 08:26:39AM -0700, Bryan Call wrote:
>>
>> Below is our announcement for the security issue reported to us from
>> Yahoo! Japan. All versions of Apache Traffic Server are vulnerable.
>
> Is there any information available about this problem, so that we can make
> a judgement on criticality of the upgrade?
in case of such security anncouncements there is not much to judge
it is a bugfix-only release and should already be deployed
Jul 23 18:20:16 Updated: trafficserver-4.2.1.1-2.fc19.20140723.rh.x86_64
> Any reason to believe a properly firewalled trafficserver (only incoming
> 80/tcp and 443/tcp allowed) should be remotely exploitable?
surely because that is a expected setup and the nature of
a vulerability is to gain more rights as should be possible
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Wed, Jul 23, 2014 at 08:26:39AM -0700, Bryan Call wrote:
>
> Below is our announcement for the security issue reported to us from
> Yahoo! Japan. All versions of Apache Traffic Server are vulnerable.
Is there any information available about this problem, so that we can make
a judgement on criticality of the upgrade? Any reason to believe a
properly firewalled trafficserver (only incoming 80/tcp and 443/tcp allowed)
should be remotely exploitable?
Thanks!
-jf
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
RHEL/Fedora builds:
v5.0.1:
-------
Rawide http://koji.fedoraproject.org/koji/taskinfo?taskID=7188293
Fedora-21 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188299
EPEL-7 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188304
EPEL-6 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188438
v4.1.1.1:
---------
Fedora-20 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188471
EPEL-6 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188469
-jf
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Wed, Jul 23, 2014 at 08:26:39AM -0700, Bryan Call wrote:
>
> Below is our announcement for the security issue reported to us from
> Yahoo! Japan. All versions of Apache Traffic Server are vulnerable.
Is there any information available about this problem, so that we can make
a judgement on criticality of the upgrade? Any reason to believe a
properly firewalled trafficserver (only incoming 80/tcp and 443/tcp allowed)
should be remotely exploitable?
Thanks!
-jf
Re: [ANNOUNCE] Apache Traffic Server releases for security incident
CVE-2014-3525
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
RHEL/Fedora builds:
v5.0.1:
-------
Rawide http://koji.fedoraproject.org/koji/taskinfo?taskID=7188293
Fedora-21 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188299
EPEL-7 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188304
EPEL-6 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188438
v4.1.1.1:
---------
Fedora-20 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188471
EPEL-6 http://koji.fedoraproject.org/koji/taskinfo?taskID=7188469
-jf