You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficserver.apache.org by Bryan Call <bc...@apache.org> on 2022/03/23 13:34:14 UTC

[ANNOUNCE] Apache Traffic Server is vulnerable to potential smuggle and MITM attacks

Description:
ATS is vulnerable to potential smuggle and MITM attacks

CVE (8.1.x and 9.1.x):
CVE-2021-44040 HTTP request line fuzzing attacks

CVE (8.1.x):
CVE-2021-44759 Improper authentication vulnerability in TLS origin 
verification

Reported By:
Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu (CVE-2021-44040)
Takuya Kitano (CVE-2021-44759)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 8.0.0 to 8.1.3
ATS 9.0.0 to 9.1.1

Mitigation:
8.x users should upgrade to 8.1.4 or later versions
9.x users should upgrade to 9.1.2 or later versions

References:
Downloads:
https://trafficserver.apache.org/downloads
(Please use backup sites from the link only if the mirrors are 
unavailable)
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44759

-Bryan