CVE-2020-17522

Name of the Vulnerable Software and Affected Versions: Apache Traffic Control versions 3.0.0 through 3.1.0 Apache Traffic Control versions 4.0.0 through 4.1.0

Description: The issue arises when ORT (now via atstccfg) generates ip allow.config files, including permissions that allow malicious actors to push arbitrary content into and remove arbitrary content from CDN cache servers. These permissions may also be extended to IP addresses outside the desired range, potentially granting them to clients outside the CDN architecture.

Recommendations: For versions 3.0.0 through 3.1.0, consider restricting access to the ip allow.config files to prevent unauthorized modifications. For versions 4.0.0 through 4.1.0, consider implementing additional security measures to limit the permissions granted to IP addresses, ensuring they are within the desired range. As a temporary workaround, consider disabling the generation of ip allow.config files via atstccfg until a patch is available.