PT-2020-3635 · Apache · Apache Traffic Server
Bryan Call
·
Published
2020-06-24
·
Updated
2022-03-31
·
CVE-2020-9494
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Traffic Server versions 6.0.0 through 6.2.3
Apache Traffic Server versions 7.0.0 through 7.1.10
Apache Traffic Server versions 8.0.0 through 8.0.7
Description
The issue is related to a buffer data boundary overflow in the Apache Traffic Server, which can be exploited by a remote attacker to cause a denial of service. The vulnerability can be triggered by certain types of HTTP/2 HEADERS frames, leading to excessive memory allocation and thread spinning.
Recommendations
For Apache Traffic Server versions 6.0.0 through 6.2.3, update to a version outside of this range to resolve the issue.
For Apache Traffic Server versions 7.0.0 through 7.1.10, update to a version outside of this range to resolve the issue.
For Apache Traffic Server versions 8.0.0 through 8.0.7, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting the handling of HTTP/2 HEADERS frames to minimize the risk of exploitation.
Fix
Buffer Overflow
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Traffic Server