trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject Re: ATS is vulnerable to a HTTP/2 attack with empty frames
Date Tue, 20 Aug 2019 21:47:11 GMT
This also affects 7.1.7 and 8.0.4.  I updated the version range below.

-Bryan


> On Aug 20, 2019, at 11:36 AM, Bryan Call <bcall@apache.org> wrote:
> 
> Description:
> ATS is vulnerable to a HTTP/2 attack with empty frames
> 
> CVE:
> CVE-2019-9518 Empty Frames Flood
> 
> Reported By:
> Piotr Sikora
> 
> Vendor:
> The Apache Software Foundation
> 
> Version Affected:
> ATS 6.0.0 to 6.2.3
> ATS 7.0.0 to 7.1.7
> ATS 8.0.0 to 8.0.4
> 
> Mitigation:
> Turn off HTTP/2 or upgrade ATS to a current version
> 6.x users should upgrade to 7.1.8, 8.0.5, or later versions
> 7.x users should upgrade to 7.1.8 or later versions
> 8.x users should upgrade to 8.0.5 or later versions
> 
> References:
> 	Downloads:
> 		https://trafficserver.apache.org/downloads
> 		(Please use backup sites from the link only if the mirrors are unavailable) 
> 	Github Pull Request:
> 		https://github.com/apache/trafficserver/pull/5850
> 	CVE:
> 		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
> 
> -Bryan
> 
> 


Mime
View raw message