oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2018-11783] Apache Traffic Server vulnerability with sslheader plugin

From: Bryan Call <bcall () apache org>
Date: Tue, 12 Feb 2019 15:42:35 -0800
CVE-2018-11783: Apache Traffic Server vulnerability with sslheader plugin

Reported By:
Nikhil Marathe

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.5
ATS 8.0.0 to 8.0.1

Description:
sslheaders plugin extracts information from the client certificate and sets headers in the request based on the 
configuration of the plugin.  The plugin doesn't strip the headers from the request in some scenarios.

Mitigation:
6.x users should upgrade to 7.1.6, 8.0.2, or later versions
7.x users should upgrade to 7.1.6 or later versions
8.x users should upgrade to 8.0.2 or later versions

References:
        Downloads:
                https://trafficserver.apache.org/downloads <https://trafficserver.apache.org/downloads>
        Github Pull Request:
                https://github.com/apache/trafficserver/pull/4701 <https://github.com/apache/trafficserver/pull/4701>
        CVE:
                https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11783>

-Bryan
Previous By Date Next
Previous By Thread Next

Current thread: