trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject ATS is vulnerable to a HTTP/2 attack with empty frames
Date Tue, 20 Aug 2019 18:36:41 GMT
Description:
ATS is vulnerable to a HTTP/2 attack with empty frames

CVE:
CVE-2019-9518 Empty Frames Flood

Reported By:
Piotr Sikora

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.6
ATS 8.0.0 to 8.0.3

Mitigation:
Turn off HTTP/2 or upgrade ATS to a current version
6.x users should upgrade to 7.1.8, 8.0.5, or later versions
7.x users should upgrade to 7.1.8 or later versions
8.x users should upgrade to 8.0.5 or later versions

References:
	Downloads:
		https://trafficserver.apache.org/downloads
		(Please use backup sites from the link only if the mirrors are unavailable) 
	Github Pull Request:
		https://github.com/apache/trafficserver/pull/5850
	CVE:
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518

-Bryan



Mime
View raw message