CERT-FI Advisory on Apache Traffic Server
Target | - servers and server applications
|
|
|
|
|
Access Vector | - remote - no user interaction required - no authentication required
|
|
|
|
|
Impact | - denial of service - potential code execution |
|
|
|
|
Remediation | - fix provided by vendor |
Details
A heap overflow vulnerability has been found in the HTTP (Hypertext Transfer Protocol) protocol handling of Apache Traffic Server. The vulnerability allows an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified HTTP message to an affected server.
Vulnerability Coordination Information and Acknowledgements
The vulnerability was found by the Codenomicon CROSS project using the Codenomicon HTTP Server Test Suite. CERT-FI would like to thank
Codenomicon and the Apache Traffic Server developer community for co-operation in the remediation efforts.
Vendor Information
- Apache Traffic Server 3.0.2 and all previous 2.0.x and 3.0.x versions
- Apache Traffic Server 3.1.2 and all previous 2.1.x and 3.1.x versions
Remediation
Patch the vulnerable software components according to the guidance published by the vendor.
References
Contact Information
CERT-FI Vulnerability Coordination can be contacted as follows:
Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #612884] in the subject line
Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)
Fax :
+358 9 6966 515
Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND
CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at
https://www.cert.fi/en/activities/contact/pgp-keys.html
The CERT-FI vulnerability coordination policy can be viewed at
https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html.
Revision History
22 Mar 2012, 18:59 UTC: Published
Page updated 11.05.2012 |
|
|
Print version |