Apache Traffic Server < 7.0.0 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9788

Synopsis

The remote caching server is outdated and affected by multiple attack vectors.

Description

Apache Traffic Server versions prior to 7.0.0 are affected by the following vulnerabilities :

- A flaw exists in 'iocore/net/SSLCertLookup.cc' that is triggered as hostnames are not properly matched in wildcards in SSL certificates. This may allow a man-in-the-middle attacker to spoof valid certificates. (OSVDB 147138)
- An out-of-bounds read flaw exists in the slow logging functionality in the 'HttpSM::update_stats()' function in 'proxy/http/HttpSM.cc'. This may allow an attacker to have an unspecified impact that may potentially include causing a denial of service or disclosing sensitive information. (OSVDB 147139)
- A use-after-free error exists in the 'HttpSM::get_http_schedule()' function in 'proxy/http/HttpSM.cc'. The issue is triggered when handling 'pending_action'. This may allow a remote attacker to dereference already freed memory and cause a denial of service. (OSVDB 147140)
- A flaw exists in the 'HttpTunnel::consumer_handler()' function in 'proxy/http/HttpTunnel.cc' that is triggered when handling compressed client requests when the GZIP plugin is enabled. This may allow a remote attacker to cause a denial of service. (OSVDB 147141)
- A flaw exists in the 'ProxyClientTransaction::new_transaction()' function in 'proxy/ProxyClientTransaction.cc' that is triggered during the handling of HTTP/2 traffic. This may allow a remote attacker to terminate the connection. (OSVDB 147043)
- A flaw exists in the 'Http2ClientSession::state_start_frame_read()' function in 'proxy/http2/Http2ClientSession.cc' that is triggered during the handling of HTTP/2 traffic. This may allow a remote attacker to terminate the connection. (OSVDB 147044)
- An out-of-bounds read flaw exists in the 'ProxyClientSession::ssn_hook_get()' function in '/proxy/InkAPI.cc' that may allow a remote attacker to have an unspecified impact that may potentially include crashing the server or disclosing sensitive information. (OSVDB 147045)
- An out-of-bounds read flaw exists in the 'LogConfig::update_space_used()' function in 'proxy/logging/LogConfig.cc' that may allow an attacker to have an unspecified impact that may potentially include crashing the server or disclosing sensitive information. (OSVDB 147046)
- An uninitialized read flaw exists in the 'SDK_API_HttpTxnTransform()' function in 'proxy/InkAPITestTool.cc' that is triggered by an off-by-one flaw in the response buffer in 'synclient_txn_read_response'. This can allow a remote attacker to have an unspecified impact. (OSVDB 147047)
- A flaw exists in the 'get_effective_host()' function in 'plugins/experimental/remap_stats/remap_stats.c' related to unchecked return values. This may allow a remote attacker to have an unspecified impact. (OSVDB 147048)
- An out-of-scope pointer dereference flaw exists in the 'ParentRecord::?Init()' function in 'proxy/ParentSelection.cc' that may allow a remote attacker to cause a denial of service. (OSVDB 147049)
- An out-of-bounds read flaw exists in 'cmd/traffic_manager/traffic_manager.cc' that is triggered when handling '-h' arguments, which may allow a local attacker to have an unspecified impact that may potentially include crashing the server or disclosing sensitive information. (OSVDB 147050)

Solution

Upgrade to Apache Traffic Server 7.0.0 or later.

See Also

https://issues.apache.org/jira/browse/TS-4572

Plugin Details

Severity: Critical

ID: 9788

File Name: 9788.prm

Family: Web Servers

Published: 2016/11/18

Modified: 2017/01/31

Dependencies: 9787

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:traffic_server

Patch Publication Date: 2016/11/08

Vulnerability Publication Date: 2016/06/21

Reference Information

OSVDB: 147138, 147139, 147140, 147141, 147043, 147044, 147045, 147046, 147047, 147048, 147049, 147050