Bryan Call

Name of the Vulnerable Software and Affected Versions: Apache Traffic Server versions 8.0.0 through 8.1.11 Apache Traffic Server versions 9.0.0 through 9.2.5 Description: The issue is related to improper input validation, which can allow a remote attacker to implement a cache poisoning attack. This is a result of insufficient checking of input data. Recommendations: For versions 8.0.0 through 8.1.11, upgrade to version 9.2.6 or 10.0.2 to fix the issue. For versions 9.0.0 through 9.2.5, upgrade to version 9.2.6 or 10.0.2 to fix the issue.

Name of the Vulnerable Software and Affected Versions: Apache Traffic Server versions 6.0.0 through 6.2.3 Apache Traffic Server versions 7.0.0 through 7.1.11 Apache Traffic Server versions 8.0.0 through 8.1.0 Description: The issue is related to the ATS negative cache option, which is vulnerable to a cache poisoning attack. This vulnerability can be exploited by a remote attacker to impact data integrity. The attack is associated with a flaw in the interpretation of HTTP requests. Recommendations: For Apache Traffic Server versions 6.0.0 through 6.2.3, upgrade or disable the ATS negative cache option to mitigate the risk. For Apache Traffic Server versions 7.0.0 through 7.1.11, upgrade or disable the ATS negative cache option to mitigate the risk. For Apache Traffic Server versions 8.0.0 through 8.1.0, upgrade or disable the ATS negative cache option to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions 6.0.0 through 6.2.3 Apache Traffic Server versions 7.0.0 through 7.1.10 Apache Traffic Server versions 8.0.0 through 8.0.7 **Description** The issue is related to a buffer data boundary overflow in the Apache Traffic Server, which can be exploited by a remote attacker to cause a denial of service. The vulnerability can be triggered by certain types of HTTP/2 HEADERS frames, leading to excessive memory allocation and thread spinning. **Recommendations** For Apache Traffic Server versions 6.0.0 through 6.2.3, update to a version outside of this range to resolve the issue. For Apache Traffic Server versions 7.0.0 through 7.1.10, update to a version outside of this range to resolve the issue. For Apache Traffic Server versions 8.0.0 through 8.0.7, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the handling of HTTP/2 HEADERS frames to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Apache Traffic Server (ATS) versions 6.2.0 and prior Apache Traffic Server (ATS) versions 7.0.0 and prior Description: The issue arises from the handling of the Host header and line folding, potentially causing problems when interacting with upstream proxies, leading to the wrong host being used. Recommendations: For Apache Traffic Server (ATS) versions 6.2.0 and prior, update to a version that addresses the Host header and line folding issue. For Apache Traffic Server (ATS) versions 7.0.0 and prior, update to a version that addresses the Host header and line folding issue.