trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject [ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks
Date Tue, 13 Aug 2019 20:03:25 GMT
Description:
ATS is vulnerable to various HTTP/2 attacks

CVE:
CVE-2019-9512 Ping Flood
CVE-2019-9514 Reset Flood
CVE-2019-9515 Settings Flood
CVE-2019-10079 ATS is vulnerable to malformed SETTINGS frames

Reported By:
Jonathan Looney (CVE-2019-9512, CVE-2019-9514, CVE-2019-9515)
Masakazu Kitajo (CVE-2019-10079)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.6
ATS 8.0.0 to 8.0.3

Mitigation:
Turn off HTTP/2 or upgrade ATS to a current version
6.x users should upgrade to 7.1.7, 8.0.4, or later versions
7.x users should upgrade to 7.1.7 or later versions
8.x users should upgrade to 8.0.4 or later versions

References:
	Downloads:
		https://trafficserver.apache.org/downloads
		(Please use backup sites from the link only if the mirrors are unavailable) 
	Github Pull Request:
		https://github.com/apache/trafficserver/pull/5820
		https://github.com/apache/trafficserver/pull/5821
		https://github.com/apache/trafficserver/pull/5822
		https://github.com/apache/trafficserver/pull/5528
	CVE:
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10079

-Bryan




Mime
View raw message