You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2022/08/10 00:37:32 UTC

ANNOUNCE] Apache Traffic Server is vulnerable to smuggle, cache poison, and possible authorization attacks

Description:
ATS is vulnerable to smuggle, cache poison, and possible authorization attacks.

CVE (8.1.x and 9.1.x):
CVE-2021-37150 Protocol vs scheme mismatch
CVE-2022-25763 Improper input validation on HTTP/2 headers
CVE-2022-28129  Insufficient Validation of HTTP/1.x Headers
CVE-2022-31780 HTTP/2 framing vulnerabilities

CVE (8.1.x):
CVE-2022-31778 Transfer-Encoding not treated as hop-by-hop

Reported By:
Mazakatsu Kitajo, Tony Regins, and Zhang Zeyu (CVE-2022-25763)
Zhang Zeyu (CVE-2022-28129)
Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda (CVE-2022-31780)
Chris Lemmons (CVE-2022-31778)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 8.0.0 to 8.1.4
ATS 9.0.0 to 9.1.2

Mitigation:
8.x users should upgrade to 8.1.5 or later versions
9.x users should upgrade to 9.1.3 or later versions

References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are unavailable)
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31778

-Bryan