You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2021/11/02 21:00:25 UTC
[ANNOUNCE] Apache Traffic Server is vulnerable to various smuggle,
DOS, and validation attacks
Description:
ATS is vulnerable to various smuggle, DOS, and validation attacks
CVE (8.1.x and 9.1.x):
CVE-2021-37147 Request Smuggling - LF line ending
CVE-2021-37148 Request Smuggling - transfer encoding validation
CVE-2021-37149 Request Smuggling - multiple attacks
CVE-2021-41585 ATS stops accepting connections on FreeBSD
CVE-2021-43082 heap-buffer-overflow with stats-over-http plugin
CVE (8.1.x):
CVE-2021-38161 Not validating origin TLS certificate
Reported By:
Mattias Grenfeldt and Asta Olofsson (CVE-2021-37147, CVE-2021-37148, CVE-2021-37149)
Asbjorn Bjornstad (CVE-2021-41585)
Masaori Koshiba (CVE-2021-43082)
Robert Butts (CVE-2021-38161)
Vendor:
The Apache Software Foundation
Version Affected:
ATS 8.0.0 to 8.1.2
ATS 9.0.0 to 9.1.0
Mitigation:
8.x users should upgrade to 8.1.3 or later versions
9.x users should upgrade to 9.1.1 or later versions
References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are unavailable)
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38161
-Bryan
-Bryan