Apache Traffic Server Patches Critical Vulnerabilities in Latest Release

Apache Traffic Server - CVE-2024-50306

The Apache Software Foundation has released a security update for Apache Traffic Server, addressing three critical vulnerabilities that could leave users susceptible to a range of cyberattacks. The flaws, impacting versions 9.0.0 to 9.2.5 and 10.0.0 to 10.0.1, range from cache poisoning to potential privilege escalation.

CVE-2024-38479 (CVSS 7.5): Cache Key Plugin Vulnerability

This vulnerability allows attackers to manipulate the cache key plugin, potentially leading to cache poisoning attacks. By injecting malicious content into the server’s cache, attackers could redirect users to phishing websites or deliver malware.

CVE-2024-50305 (CVSS 7.5): Host Field Vulnerability

A specially crafted “Host” field value can trigger crashes in Apache Traffic Server. This denial-of-service vulnerability could be exploited to disrupt website availability and impact legitimate users.

CVE-2024-50306 (CVSS 9.1): Privilege Escalation on Startup

This high-severity vulnerability stems from an unchecked return value, potentially allowing Apache Traffic Server to retain elevated privileges during startup. Exploiting this flaw could grant attackers significant control over the server and its data.

Mitigation:

The Apache Software Foundation urges all users to update their installations immediately. Users of the 9.x branch should upgrade to version 9.2.6 or later, while those running the 10.x branch should upgrade to 10.0.2 or later.

Related Posts: