Apache Traffic Server (ATS), a widely adopted and high-performance HTTP proxy server, has been identified as vulnerable to a request smuggling attack. This vulnerability, tracked as CVE-2024-53868, stems from how ATS handles chunked messages, potentially allowing malicious actors to interfere with the processing of HTTP requests.
For those unfamiliar, Apache Traffic Server is a robust and scalable proxy server. It’s known for its speed and extensibility, supporting both HTTP/1.1 and HTTP/2 protocols. Originally a commercial product, it was donated to the Apache Foundation and is now a key component in the infrastructure of numerous major Content Delivery Networks (CDNs) and content owners.
The core issue lies in how ATS parses and processes HTTP requests that use chunked transfer encoding. This encoding method allows data to be sent in a series of chunks, which is useful for situations where the total size of the data is unknown. However, the vulnerability, CVE-2024-53868, reveals that a specially crafted chunked message body can be used to “smuggle” requests.
Request smuggling is a serious type of web security vulnerability. It allows an attacker to “smuggle” HTTP requests within other, legitimate ones. This can lead to various malicious outcomes, including:
- Bypassing security controls: Attackers might be able to circumvent web application firewalls or access control lists.
- Cache poisoning: Malicious requests could be cached by the server, affecting other users.
- Session hijacking: In some scenarios, an attacker might be able to intercept or manipulate user sessions.
The following versions of Apache Traffic Server are affected by this vulnerability:
- ATS 9.0.0 to 9.2.9
- ATS 10.0.0 to 10.0.4
Fortunately, fixes are available. To mitigate this risk, it is crucial to update your Apache Traffic Server installation to a patched version.
- If you are using the 9.x branch, upgrade to version 9.2.10 or later.
- If you are using the 10.x branch, upgrade to version 10.0.5 or later.
