#VU29356 Resource exhaustion in Apache Traffic Server - CVE-2020-9494

Cybersecurity Help s.r.o.

Published: 2020-06-29

Vulnerability identifier: #VU29356

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-9494

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Traffic Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 HEADERS frames. A remote attacker can send specially crafted HTTP/2 requests to the server, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Traffic Server: 6.0.0, 6.1.0 - 6.1.1, 6.2.0 - 6.2.3, 7.0.0, 7.1.0 - 7.1.10, 8.0.0 - 8.0.7

External links
https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E
https://www.debian.org/security/2020/dsa-4710

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for tomcat9

Amazon Linux AMI update for tomcat7

openEuler 20.03 LTS SP1 update for tomcat

Denial of service in Apache Traffic Server

Debian update for trafficserver