You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficcontrol.apache.org by Rawlin Peters <ra...@apache.org> on 2019/09/06 19:54:07 UTC
[ANNOUNCE] CVE-2019-12405: Apache Traffic Control LDAP-based
authentication vulnerability
CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability
Severity: Critical
Vendor: The Apache Software Foundation
Versions affected:
Traffic Control 3.0.0
Traffic Control 3.0.1
Description:
The Traffic Ops API component of the Apache Traffic Control project is
vulnerable to improper authentication when LDAP is enabled. Given a username
for a user that can be authenticated via LDAP, it is possible to improperly
authenticate as that user without that user's correct password.
Mitigation:
3.x users should upgrade to 3.0.2.
If the upgrade cannot be done immediately, LDAP authentication can be disabled
by removing the Traffic Ops LDAP configuration file -- ldap.conf -- in order to
mitigate the vulnerability until an upgrade to 3.0.2 can be performed.
References:
Downloads:
http://trafficcontrol.apache.org/releases/
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12405
Project security:
http://trafficcontrol.apache.org/security/
--
Thanks,
Rawlin