You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2018/02/27 17:38:23 UTC
[ANNOUNCE] Apache Traffic Server host header and line folding -
CVE-2017-5660
CVE-2017-5660: Apache Traffic Server host header and line folding
Vendor:
The Apache Software Foundation
Version Affected:
ATS 6.2.0 and prior
ATS 7.0.0 and prior
Description:
There is a vulnerability in ATS with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.
Mitigation:
6.2.x users should upgrade to 6.2.2 or later versions
7.x users should upgrade to 7.1.2 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads
Github Pull Request:
https://github.com/apache/trafficserver/pull/1657
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5660
-Bryan
Re: [ANNOUNCE] Apache Traffic Server host header and line folding -
CVE-2017-5660
Posted by Leif Hedstrom <zw...@apache.org>.
> On Mar 5, 2018, at 7:48 AM, Jeremy Payne <jp...@gmail.com> wrote:
>
> Is it safe to conclude that in terms of request routing, that this CVE
> only applies to proxies in forward proxy mode ? Or rather forward
> proxies that parse the host header to determine next hop ?
> In reverse proxy mode, where remap rules are explicitly defined, then
> a request either matches a remap or the request is denied.
>
> Please advise.
If I recall, this can be used in any proxy mode. A well crafted request could for example cause an origin or different upstream parent, to look at the wrong host header, which could be bad if that origin handles different hosts differently.
— leif
Re: [ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660
Posted by Jeremy Payne <jp...@gmail.com>.
Is it safe to conclude that in terms of request routing, that this CVE
only applies to proxies in forward proxy mode ? Or rather forward
proxies that parse the host header to determine next hop ?
In reverse proxy mode, where remap rules are explicitly defined, then
a request either matches a remap or the request is denied.
Please advise.
On Tue, Feb 27, 2018 at 11:38 AM, Bryan Call <bc...@apache.org> wrote:
> CVE-2017-5660: Apache Traffic Server host header and line folding
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.2.0 and prior
> ATS 7.0.0 and prior
>
> Description:
> There is a vulnerability in ATS with the Host header and line folding. This can have issues when interacting with upstream proxies and the wrong host being used.
>
> Mitigation:
> 6.2.x users should upgrade to 6.2.2 or later versions
> 7.x users should upgrade to 7.1.2 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
>
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/1657
>
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5660
>
> -Bryan
>
>
>