5 highly critical vulnerabilities in Apache Traffic Server. Patch now

Cybersecurity experts report the detection of a set of vulnerabilities in Apache Web Server, a modular, high-performance reverse proxy server, generally comparable to Nginx and Squid. According to the report, the successful exploitation of these flaws would compromise the affected systems.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-32565: Improper validation of HTTP requests when processing Content-Length headers would allow remote attackers to send a specially crafted HTTP request to the server and perform an arbitrary HTTP header smuggling attack.

The flaw received a score of 6.3/10 and its successful exploitation would allow attackers to poison the HTTP cache and perform phishing attacks.

CVE-2021-27577: Inadequate validation of user input when handling URL fragmentation allows remote attackers to send a specially crafted HTTP request and poison the web server cache.

The vulnerability received a CVSS score of 6.3/10.

CVE-2021-32566: Insufficient validation of user input when processing HTTP/2 requests would allow remote malicious hackers to send a specially crafted stream and perform denial of service (DoS) attacks.

This flaw received a CVSS score of 6.5/10.

CVE-2021-32567: Improper handling of internal resources within the application when processing HTTP/2 frames would allow remote attackers to pass specially crafted data to the application and perform DoS attacks.

The vulnerability received a CVSS score of 4.6/10.

CVE-2021-35474: A boundary bug within the cache key plug-in allows unauthenticated remote attackers to send specially crafted traffic to the application, trigger a buffer overflow, and execute arbitrary code on the compromised system.

The flaw received a CVSS score of 8.5/10 and its successful exploitation could result in the complete compromise of the vulnerable system.

These flaws reside in the following versions of Apache Traffic Server: 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.1.11, 7.1.12, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 9.0.0 and 9.0.1.

While flaws can be exploited by unauthenticated threat actors, no exploit attempts have been detected in real-world scenarios or the existence of a malware variant associated with the attack.

The flaws have already been corrected, so users of affected deployments are encouraged to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.