Apache Traffic Server Security Update Advisory

Overview

An update has been released to address vulnerabilities in Apache Traffic Server. Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-38479

• Apache Traffic Server versions: 8.0.0 (inclusive) ~ 8.1.11 (inclusive)
• Apache Traffic Server versions: 9.0.0 (inclusive) ~ 9.2.5 (inclusive)

 

CVE-2024-50305

• Apache Traffic Server versions: 9.2.0 (inclusive) ~ 9.2.5 (inclusive)

 

CVE-2024-50306

• Apache Traffic Server versions: 9.2.0 (inclusive) ~ 9.2.5 (inclusive)
• Apache Traffic Server versions: 10.0.0 (inclusive) ~ 10.0.1 (inclusive)

 

Resolved Vulnerabilities

 

Improper input validation vulnerability in Apache Traffic Server (CVE-2024-38479)

Invalid host header field could cause Apache Traffic Server to crash on some platforms (CVE-2024-50305)

Vulnerability that could allow Apache Traffic Server to retain privileges on startup due to an unvalidated return value (CVE-2024-50306)

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-38479

• Apache Traffic Server version: 9.2.6 or later version
• Apache Traffic Server version: 10.0.2 or later version

 

CVE-2024-50305

• Apache Traffic Server version: 9.2.6 or later version
• Apache Traffic Server version: 10.0.2 or later version

 

CVE-2024-50306

• Apache Traffic Server version: 9.2.6 or later version
• Apache Traffic Server version: 10.0.2 or later version

   

 

Referenced Sites

 

[1] CVE-2024-38479 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-38479

[2] CVE-2024-50305 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-50305

[3] CVE-2024-50306 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-50306

[4] [ANNOUNCEMENT] Apache Traffic Server is vulnerable to specific user inputs

https://lists.apache.org/thread/y15fh6c7kyqvzm0f9odw7c5jh4r4np0y