You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2022/12/15 21:54:05 UTC

[ANNOUNCE] Apache Traffic Server is vulnerable to smuggle, cache poison, and DOS attacks

Description:
ATS is vulnerable to smuggle, cache poison, and DOS attacks.

CVE (8.1.x and 9.1.x):
CVE-2022-32749 - Improperly handled requests can cause crashes in specific plugins
CVE-2022-37392 - Improperly reading the client request body

CVE (9.1.x):
CVE-2022-40743 - Security issues with the xdebug plugin

Reported By:
Vijay Mamidi (CVE-2022-32749)
Menno de Gier (CVE-2022-37392)
Nick Frost (CVE-2022-40743)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 8.0.0 to 8.1.5
ATS 9.0.0 to 9.1.3

Mitigation:
8.x users should upgrade to 8.1.6 or later versions
9.x users should upgrade to 9.1.4 or later versions

References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are unavailable)
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40743

-Bryan