www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rawlin Peters <raw...@apache.org>
Subject [ANNOUNCE] CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability
Date Fri, 06 Sep 2019 19:54:07 GMT
CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability

Severity: Critical

Vendor: The Apache Software Foundation

Versions affected:
Traffic Control 3.0.0
Traffic Control 3.0.1

Description:
The Traffic Ops API component of the Apache Traffic Control project is
vulnerable to improper authentication when LDAP is enabled. Given a username
for a user that can be authenticated via LDAP, it is possible to improperly
authenticate as that user without that user's correct password.

Mitigation:
3.x users should upgrade to 3.0.2.
If the upgrade cannot be done immediately, LDAP authentication can be disabled
by removing the Traffic Ops LDAP configuration file -- ldap.conf -- in order to
mitigate the vulnerability until an upgrade to 3.0.2 can be performed.

References:
    Downloads:
        http://trafficcontrol.apache.org/releases/
    CVE:
        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12405
    Project security:
        http://trafficcontrol.apache.org/security/
--
Thanks,
Rawlin

Mime
View raw message