Apache Traffic Server Critical Vulnerabilities
Share this:
Researchers have identified two critical security vulnerabilities in Apache Traffic Server that could allow attackers to cause denial of service attacks or bypass security restrictions.
ATS plays a pivotal role in maximizing bandwidth and bringing content closer to end-users. However, two critical security vulnerabilities have been found in ATS that could allow attackers to cause denial of service attacks or bypass security restrictions.
The first vulnerability tracked as, CVE-2022-47185, is an alarming flaw that could allow a denial of service (DoS) attack. The issue lies in the improper input validation by the range header within ATS. By sending a specifically crafted request to the server, a remote attacker could exploit this vulnerability to induce a denial of service condition. This DoS condition could cripple targeted systems, leaving users without access to essential services and information.
Affected Versions:
- ATS 8.0.0 to 8.1.7
- ATS 9.0.0 to 9.2.1
Mitigation Strategy:
- 8.x users: Upgrade to 8.1.8 or later versions
- 9.x users: Upgrade to 9.2.2 or later versions
The second vulnerability tracked as, CVE-2023-33934, is an equally troubling flaw that could allow an attacker to bypass security restrictions.This vulnerability is again rooted in improper input validation within ATS. A remote attacker could exploit it to perform cache poison attacks, essentially sidestepping the very security measures meant to protect users and the information they access.
Affected Versions:
- ATS 8.0.0 to 8.1.7
- ATS 9.0.0 to 9.2.1
Mitigation Strategy:
- 8.x users: Upgrade to 8.1.8 or later versions
- 9.x users: Upgrade to 9.2.2 or later versions
Both of these vulnerabilities are critical and could have a significant impact on organizations that use ATS. The denial of service vulnerability could cause ATS to become unavailable, which could disrupt network traffic and services. The security bypass vulnerability could allow attackers to inject malicious content into the cache, which could lead to data breaches or other security incidents.
The vulnerabilities have been patched in ATS version 8.1.8 and 9.2.2. Organizations that use ATS should upgrade to these versions as soon as possible to mitigate the risk of these vulnerabilities being exploited.
