Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks

destructively Overview :

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn’t limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.

http://ramblingfisherman.com/wp-content/plugins/ubh/up.php Affected Product(s) :

Apache Tomcat 9.0.0.M1 to 9.0.0.M17
Apache Tomcat 8.5.0 to 8.5.11
Apache Tomcat 8.0.0.RC1 to 8.0.41
Apache Tomcat 7.0.0 to 7.0.75
Apache Tomcat 6.0.x is not affected

Vulnerability Details :

CVE ID :	CVE-2019-10079
	While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Solution :

Users of the affected versions should apply one of the following mitigations:
– Upgrade to Apache Tomcat 9.0.0.M18 or later
– Upgrade to Apache Tomcat 8.5.12 or later
– Upgrade to Apache Tomcat 8.0.42 or later
– Upgrade to Apache Tomcat 7.0.76 or later

Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-22144 : ELI SCHEETZ ANTI-MALWARE SECURITY AND BRUTE-FORCE FIREWALL PLUGIN CODE INJECTION

CVE-2024-26922 : LINUX KERNEL UP TO 6.9-RC4 AMDGPU PRIVILEGE ESCALATION

CVE-2024-21511 : MYSQL2 UP TO 3.9.6 READCODEFOR TIMEZONE CODE INJECTION