Apache Traffic Server Security Patch

Tuesday, March 27, 2012 @ 06:03 PM gHale

Version 3.0.4 of Apache Traffic Server, the high performance caching HTTP/1.1 proxy server, closes a security hole an attacker could exploit by remotely compromising a vulnerable system.

An error when parsing a large “Host:” HTTP header can cause a heap-based buffer overflow, which could lead to a denial-of-service (DoS) condition or the execution of arbitrary code.

Microsoft Seizes Zeus Servers
Smart Malware on Growth Curve
Malware has Bots Acting as C&C Server
Stealth Trojan Hijacks DLL File

The vulnerability (CVE-2012-0256) came to Apache by Codenomicon via CERT-FI and rates as “Important”.

All 2.0.x versions as well as 3.0.x and 3.1.x up to and including 3.0.3 and 3.1.2 suffer from the issue. Upgrading to 3.0.4 fixes the problem. The developers have also released an update, version 3.1.3, to the unstable development branch of ATS to fix the security problem and urge all users to upgrade as soon as possible.

More details about the updates, including a full list of bug fixes, are in the CERT-FI security advisory, and in the 3.0.4 and 3.1.3 change logs. Versions 3.0.4 and 3.1.3 of Apache Traffic Server are available from the project’s download page and documentation is provided. Apache Traffic Server released under the Apache License 2.0.

Leave a Reply

You must be logged in to post a comment.