The Apache Traffic Server project has released updates to address several security vulnerabilities affecting multiple versions of its popular web proxy cache. These vulnerabilities range from request smuggling to improper access control, potentially impacting the security and performance of networks relying on the software.
One notable vulnerability, CVE-2024-38311, allows for request smuggling via pipelining after a chunked message body. This issue, stemming from improper input validation, could enable attackers to manipulate network traffic and potentially gain unauthorized access to sensitive information.
Additionally, two improper access control vulnerabilities, CVE-2024-56195 and CVE-2024-56196, were identified. CVE-2024-56195 affects intercept plugins, which were found to lack proper access controls, potentially allowing unauthorized modification of network traffic. CVE-2024-56196 relates to Access Control Lists (ACLs) and impacts compatibility with older versions of Apache Traffic Server.
Finally, CVE-2024-56202 is an expected behavior violation vulnerability related to the Expect header field. This vulnerability could allow attackers to “unreasonably retain resources,” potentially leading to denial-of-service conditions.
The Apache Traffic Server project urges users to upgrade to version 9.2.9 or 10.0.4 to mitigate these vulnerabilities. These updates include fixes for all identified security flaws, ensuring the continued security and efficiency of network operations.
