You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2022/12/15 21:54:05 UTC
[ANNOUNCE] Apache Traffic Server is vulnerable to smuggle, cache poison, and DOS attacks
Description:
ATS is vulnerable to smuggle, cache poison, and DOS attacks.
CVE (8.1.x and 9.1.x):
CVE-2022-32749 - Improperly handled requests can cause crashes in specific plugins
CVE-2022-37392 - Improperly reading the client request body
CVE (9.1.x):
CVE-2022-40743 - Security issues with the xdebug plugin
Reported By:
Vijay Mamidi (CVE-2022-32749)
Menno de Gier (CVE-2022-37392)
Nick Frost (CVE-2022-40743)
Vendor:
The Apache Software Foundation
Version Affected:
ATS 8.0.0 to 8.1.5
ATS 9.0.0 to 9.1.3
Mitigation:
8.x users should upgrade to 8.1.6 or later versions
9.x users should upgrade to 9.1.4 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are unavailable)
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40743
-Bryan