Apache Traffic Server < 7.0.0 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9788

Synopsis

The remote caching server is outdated and affected by multiple attack vectors.

Description

Apache Traffic Server versions prior to 7.0.0 are affected by the following vulnerabilities :

- A flaw exists in 'iocore/net/SSLCertLookup.cc' that is triggered as hostnames are not properly matched in wildcards in SSL certificates. This may allow a man-in-the-middle attacker to spoof valid certificates.
- An out-of-bounds read flaw exists in the slow logging functionality in the 'HttpSM::update_stats()' function in 'proxy/http/HttpSM.cc'. This may allow an attacker to have an unspecified impact that may potentially include causing a denial of service or disclosing sensitive information.
- A use-after-free error exists in the 'HttpSM::get_http_schedule()' function in 'proxy/http/HttpSM.cc'. The issue is triggered when handling 'pending_action'. This may allow a remote attacker to dereference already freed memory and cause a denial of service.
- A flaw exists in the 'HttpTunnel::consumer_handler()' function in 'proxy/http/HttpTunnel.cc' that is triggered when handling compressed client requests when the GZIP plugin is enabled. This may allow a remote attacker to cause a denial of service.
- A flaw exists in the 'ProxyClientTransaction::new_transaction()' function in 'proxy/ProxyClientTransaction.cc' that is triggered during the handling of HTTP/2 traffic. This may allow a remote attacker to terminate the connection.
- A flaw exists in the 'Http2ClientSession::state_start_frame_read()' function in 'proxy/http2/Http2ClientSession.cc' that is triggered during the handling of HTTP/2 traffic. This may allow a remote attacker to terminate the connection.
- An out-of-bounds read flaw exists in the 'ProxyClientSession::ssn_hook_get()' function in '/proxy/InkAPI.cc' that may allow a remote attacker to have an unspecified impact that may potentially include crashing the server or disclosing sensitive information.
- An out-of-bounds read flaw exists in the 'LogConfig::update_space_used()' function in 'proxy/logging/LogConfig.cc' that may allow an attacker to have an unspecified impact that may potentially include crashing the server or disclosing sensitive information.
- An uninitialized read flaw exists in the 'SDK_API_HttpTxnTransform()' function in 'proxy/InkAPITestTool.cc' that is triggered by an off-by-one flaw in the response buffer in 'synclient_txn_read_response'. This can allow a remote attacker to have an unspecified impact.
- A flaw exists in the 'get_effective_host()' function in 'plugins/experimental/remap_stats/remap_stats.c' related to unchecked return values. This may allow a remote attacker to have an unspecified impact.
- An out-of-scope pointer dereference flaw exists in the 'ParentRecord::?Init()' function in 'proxy/ParentSelection.cc' that may allow a remote attacker to cause a denial of service.
- An out-of-bounds read flaw exists in 'cmd/traffic_manager/traffic_manager.cc' that is triggered when handling '-h' arguments, which may allow a local attacker to have an unspecified impact that may potentially include crashing the server or disclosing sensitive information.

Solution

Upgrade to Apache Traffic Server 7.0.0 or later.

See Also

https://issues.apache.org/jira/browse/TS-4572

Plugin Details

Severity: Critical

ID: 9788

Family: Web Servers

Published: 11/18/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:traffic_server

Patch Publication Date: 11/8/2016

Vulnerability Publication Date: 6/21/2016