PT-2021-3628 · Apache · Apache Traffic Server
Masaori Koshiba
·
Published
2021-06-30
·
Updated
2021-09-20
·
CVE-2021-32567
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Traffic Server versions 7.0.0 through 7.1.12
Apache Traffic Server versions 8.0.0 through 8.1.1
Apache Traffic Server versions 9.0.0 through 9.0.1
Description
The issue is related to improper input validation in the HTTP/2 module of Apache Traffic Server, which can be exploited by an attacker to cause a denial of service (DOS) of the server.
Recommendations
For versions 7.0.0 through 7.1.12, update to a version outside of this range to resolve the issue.
For versions 8.0.0 through 8.1.1, update to a version outside of this range to resolve the issue.
For versions 9.0.0 through 9.0.1, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting access to the HTTP/2 module until a patch is available.
Fix
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Traffic Server