You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2018/02/27 17:38:23 UTC

[ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660

CVE-2017-5660: Apache Traffic Server host header and line folding

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.2.0 and prior
ATS 7.0.0 and prior

Description:
There is a vulnerability in ATS with the Host header and line folding.  This can have issues when interacting with upstream proxies and the wrong host being used.

Mitigation:
6.2.x users should upgrade to 6.2.2 or later versions
7.x users should upgrade to 7.1.2 or later versions

References:
	Downloads:
		https://trafficserver.apache.org/downloads

	Github Pull Request:
		https://github.com/apache/trafficserver/pull/1657

	CVE:
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5660

-Bryan

Re: [ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660

Posted by Leif Hedstrom <zw...@apache.org>.

> On Mar 5, 2018, at 7:48 AM, Jeremy Payne <jp...@gmail.com> wrote:
> 
> Is it safe to conclude that in terms of request routing, that this CVE
> only applies to proxies in forward proxy mode ? Or rather forward
> proxies that parse the host header to determine next hop ?
> In reverse proxy mode, where remap rules are explicitly defined, then
> a request either matches a remap or the request is denied.
> 
> Please advise.

If I recall, this can be used in any proxy mode. A well crafted request could for example cause an origin or different upstream parent, to look at the wrong host header, which could be bad if that origin handles different hosts differently.

— leif

Re: [ANNOUNCE] Apache Traffic Server host header and line folding - CVE-2017-5660

Posted by Jeremy Payne <jp...@gmail.com>.

Is it safe to conclude that in terms of request routing, that this CVE
only applies to proxies in forward proxy mode ? Or rather forward
proxies that parse the host header to determine next hop ?
In reverse proxy mode, where remap rules are explicitly defined, then
a request either matches a remap or the request is denied.

Please advise.





On Tue, Feb 27, 2018 at 11:38 AM, Bryan Call <bc...@apache.org> wrote:
> CVE-2017-5660: Apache Traffic Server host header and line folding
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.2.0 and prior
> ATS 7.0.0 and prior
>
> Description:
> There is a vulnerability in ATS with the Host header and line folding.  This can have issues when interacting with upstream proxies and the wrong host being used.
>
> Mitigation:
> 6.2.x users should upgrade to 6.2.2 or later versions
> 7.x users should upgrade to 7.1.2 or later versions
>
> References:
>         Downloads:
>                 https://trafficserver.apache.org/downloads
>
>         Github Pull Request:
>                 https://github.com/apache/trafficserver/pull/1657
>
>         CVE:
>                 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5660
>
> -Bryan
>
>
>