GSA_kwCzR0hTQS1mMndyLWM0YzQteGpnN83wPg

High EPSS: 0.01728% (0.81501 Percentile) EPSS:

Permalink JSON

Apache Traffic Control vulnerable to Slowloris-style Denial of Service attack

Affected Packages	Affected Versions	Fixed Versions
go:github.com/apache/trafficcontrol	>= 0.0.0, < 1.1.4-0.20170531185407-738c10fa1b58, >= 1.1.4, < 1.8.1, < 0.0.0-20170531185407-738c10fa1b58, = 2.1.0-RC0, >= 2.0.0-RC0, < 2.0.0	1.1.4-0.20170531185407-738c10fa1b58, 1.8.1, 0.0.0-20170531185407-738c10fa1b58, 2.1.0-RC1, 2.0.0
1 Dependent packages 2 Dependent repositories Affected Version Ranges All affected versions 1.1.3 All unaffected versions 5.0.0, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.6, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 7.0.0, 7.0.1

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is restarted. If connections remain in the ESTABLISHED state indefinitely and accumulate in number to match the size of the thread pool dedicated to processing DNS requests, the thread pool becomes exhausted. Once the thread pool is exhausted, Traffic Router is unable to service any DNS request, regardless of transport protocol.

References:

Identifiers

GHSA-f2wr-c4c4-xjg7

CVE-2017-7670

Risk

Severity

High

EPSS

EPSS Percentage: 0.01728

EPSS Percentile: 0.81501

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/trafficcontrol

Date and time

Published

about 3 years ago

Updated

19 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories