oss-sec mailing list archives

Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks

From: Bryan Call <bcall () apache org>
Date: Tue, 2 Nov 2021 14:25:48 -0700

Description:
Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks

CVE (8.1.x and 9.1.x):
CVE-2021-37147 Request Smuggling - LF line ending
CVE-2021-37148 Request Smuggling - transfer encoding validation
CVE-2021-37149 Request Smuggling - multiple attacks
CVE-2021-41585 ATS stops accepting connections on FreeBSD
CVE-2021-43082 heap-buffer-overflow with stats-over-http plugin

CVE (8.1.x):
CVE-2021-38161 Not validating origin TLS certificate

Reported By:
Mattias Grenfeldt and Asta Olofsson (CVE-2021-37147, CVE-2021-37148, CVE-2021-37149)
Asbjorn Bjornstad (CVE-2021-41585)
Masaori Koshiba (CVE-2021-43082)
Robert Butts (CVE-2021-38161)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 8.0.0 to 8.1.2
ATS 9.0.0 to 9.1.0

Mitigation:
8.x users should upgrade to 8.1.3 or later versions
9.x users should upgrade to 9.1.1 or later versions

References:
  Downloads:
    https://trafficserver.apache.org/downloads
    (Please use backup sites from the link only if the mirrors are unavailable) 
  CVE:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37147
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37148
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37149
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41585
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43082
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38161

Current thread:

Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks Bryan Call (Nov 02)