A Twin Threat to Apache Traffic Server – CVE-2022-47185 and CVE-2023-33934 Flaws

CVE-2023-33934

Apache Traffic Server (ATS) has been the robust heart of numerous network systems, a high-performance web proxy cache designed to make content delivery across the internet faster, smoother, and more efficient. As a cornerstone for enterprises, Internet Service Providers (ISPs), backbone providers, and large intranets, ATS plays a pivotal role in maximizing bandwidth and bringing content closer to end-users. However, two critical security vulnerabilities have been found in ATS that could allow attackers to cause denial of service attacks or bypass security restrictions.

CVE-2022-47185: A Denial of Service Vulnerability

The first of these vulnerabilities, CVE-2022-47185, is an alarming flaw that could allow a denial of service (DoS) attack. Unearthed by security researcher Katsutoshi Ikenoya, the issue lies in the improper input validation by the range header within ATS.

By sending a specifically crafted request to the server, a remote attacker could exploit this vulnerability to induce a denial of service condition. This DoS condition could cripple targeted systems, leaving users without access to essential services and information.

Affected Versions:

  • ATS 8.0.0 to 8.1.7
  • ATS 9.0.0 to 9.2.1

Mitigation Strategy:

  • 8.x users: Upgrade to 8.1.8 or later versions
  • 9.x users: Upgrade to 9.2.2 or later versions

CVE-2023-33934: A Security Bypass Vulnerability

The second vulnerability, CVE-2023-33934, is an equally troubling flaw that could allow an attacker to bypass security restrictions. The collaborative effort of security researchers Bahruz Jabiyev, Anthony Gavazzi, Engin Kirda, Kaan Onarlioglu, Adi Peleg, and Harvey Tuch has uncovered this loophole.

This vulnerability is again rooted in improper input validation within ATS. A remote attacker could exploit it to perform cache poison attacks, essentially sidestepping the very security measures meant to protect users and the information they access.

Affected Versions:

  • ATS 8.0.0 to 8.1.7
  • ATS 9.0.0 to 9.2.1

Mitigation Strategy:

  • 8.x users: Upgrade to 8.1.8 or later versions
  • 9.x users: Upgrade to 9.2.2 or later versions

A Call to Action

Both of these vulnerabilities are critical and could have a significant impact on organizations that use ATS. The denial of service vulnerability could cause ATS to become unavailable, which could disrupt network traffic and services. The security bypass vulnerability could allow attackers to inject malicious content into the cache, which could lead to data breaches or other security incidents.

The vulnerabilities have been patched in ATS version 8.1.8 and 9.2.2. Organizations that use ATS should upgrade to these versions as soon as possible to mitigate the risk of these vulnerabilities being exploited.