You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2019/08/20 18:36:41 UTC
ATS is vulnerable to a HTTP/2 attack with empty frames
Description:
ATS is vulnerable to a HTTP/2 attack with empty frames
CVE:
CVE-2019-9518 Empty Frames Flood
Reported By:
Piotr Sikora
Vendor:
The Apache Software Foundation
Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.6
ATS 8.0.0 to 8.0.3
Mitigation:
Turn off HTTP/2 or upgrade ATS to a current version
6.x users should upgrade to 7.1.8, 8.0.5, or later versions
7.x users should upgrade to 7.1.8 or later versions
8.x users should upgrade to 8.0.5 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are unavailable)
Github Pull Request:
https://github.com/apache/trafficserver/pull/5850
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
-Bryan
Re: ATS is vulnerable to a HTTP/2 attack with empty frames
Posted by Bryan Call <bc...@apache.org>.
This also affects 7.1.7 and 8.0.4. I updated the version range below.
-Bryan
> On Aug 20, 2019, at 11:36 AM, Bryan Call <bc...@apache.org> wrote:
>
> Description:
> ATS is vulnerable to a HTTP/2 attack with empty frames
>
> CVE:
> CVE-2019-9518 Empty Frames Flood
>
> Reported By:
> Piotr Sikora
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.3
> ATS 7.0.0 to 7.1.7
> ATS 8.0.0 to 8.0.4
>
> Mitigation:
> Turn off HTTP/2 or upgrade ATS to a current version
> 6.x users should upgrade to 7.1.8, 8.0.5, or later versions
> 7.x users should upgrade to 7.1.8 or later versions
> 8.x users should upgrade to 8.0.5 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> (Please use backup sites from the link only if the mirrors are unavailable)
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/5850
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
>
> -Bryan
>
>
Re: ATS is vulnerable to a HTTP/2 attack with empty frames
Posted by Bryan Call <bc...@apache.org>.
This also affects 7.1.7 and 8.0.4. I updated the version range below.
-Bryan
> On Aug 20, 2019, at 11:36 AM, Bryan Call <bc...@apache.org> wrote:
>
> Description:
> ATS is vulnerable to a HTTP/2 attack with empty frames
>
> CVE:
> CVE-2019-9518 Empty Frames Flood
>
> Reported By:
> Piotr Sikora
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.3
> ATS 7.0.0 to 7.1.7
> ATS 8.0.0 to 8.0.4
>
> Mitigation:
> Turn off HTTP/2 or upgrade ATS to a current version
> 6.x users should upgrade to 7.1.8, 8.0.5, or later versions
> 7.x users should upgrade to 7.1.8 or later versions
> 8.x users should upgrade to 8.0.5 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> (Please use backup sites from the link only if the mirrors are unavailable)
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/5850
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
>
> -Bryan
>
>
Re: ATS is vulnerable to a HTTP/2 attack with empty frames
Posted by Bryan Call <bc...@apache.org>.
This also affects 7.1.7 and 8.0.4. I updated the version range below.
-Bryan
> On Aug 20, 2019, at 11:36 AM, Bryan Call <bc...@apache.org> wrote:
>
> Description:
> ATS is vulnerable to a HTTP/2 attack with empty frames
>
> CVE:
> CVE-2019-9518 Empty Frames Flood
>
> Reported By:
> Piotr Sikora
>
> Vendor:
> The Apache Software Foundation
>
> Version Affected:
> ATS 6.0.0 to 6.2.3
> ATS 7.0.0 to 7.1.7
> ATS 8.0.0 to 8.0.4
>
> Mitigation:
> Turn off HTTP/2 or upgrade ATS to a current version
> 6.x users should upgrade to 7.1.8, 8.0.5, or later versions
> 7.x users should upgrade to 7.1.8 or later versions
> 8.x users should upgrade to 8.0.5 or later versions
>
> References:
> Downloads:
> https://trafficserver.apache.org/downloads
> (Please use backup sites from the link only if the mirrors are unavailable)
> Github Pull Request:
> https://github.com/apache/trafficserver/pull/5850
> CVE:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
>
> -Bryan
>
>