CVE-2018-8004
First published: Wed Aug 29 2018(Updated: )
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/trafficserver | 8.0.2+ds-1+deb10u6 8.1.7-0+deb10u2 8.1.7+ds-1~deb11u1 9.2.0+ds-2+deb12u1 9.2.2+ds-1 | |
| Apache Traffic Server | >=6.0.0<=6.2.2 | |
| Apache Traffic Server | >=7.0.0<=7.1.3 | |
| Debian GNU/Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.openwall.com/lists/oss-security/2018/08/29/5
- https://github.com/apache/trafficserver/pull/3192
- https://github.com/apache/trafficserver/pull/3201
- https://github.com/apache/trafficserver/pull/3231
- https://github.com/apache/trafficserver/pull/3251
- https://github.com/apache/trafficserver/commit/05d734c773900dd589480ff07572c0d7db7c3d44
- https://github.com/apache/trafficserver/commit/9659d12a21cf1870c2790fdd5acab712ed87f16e
- https://github.com/apache/trafficserver/commit/2616e580de7d66b9098c464d503a049c7814e35a
- https://github.com/apache/trafficserver/commit/3d2fdab8b0606bc8b35006f7aeb73729d364b333
- https://security-tracker.debian.org/tracker/CVE-2018-8004
- http://www.securityfocus.com/bid/105192
- https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5@%3Cusers.trafficserver.apache.org%3E
- https://www.debian.org/security/2018/dsa-4282
- https://lists.apache.org/thread.html/7df882eb09029a4460768a61f88a30c9c30c9dc88e9bcc6e19ba24d5%40%3Cusers.trafficserver.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2018-8004?
CVE-2018-8004 is classified as a moderate severity vulnerability due to its potential for HTTP smuggling and cache poisoning.
What versions of Apache Traffic Server are affected by CVE-2018-8004?
CVE-2018-8004 affects Apache Traffic Server versions from 6.0.0 to 6.2.2 and from 7.0.0 to 7.1.3.
How do I fix CVE-2018-8004?
To resolve CVE-2018-8004, users should upgrade to Apache Traffic Server version 6.2.3 or later for the 6.x series and version 7.1.4 or later for the 7.x series.
What are the consequences of not addressing CVE-2018-8004?
Leaving CVE-2018-8004 unaddressed could allow malicious clients to exploit HTTP smuggling techniques and affect cache integrity.
Is there a patch available for CVE-2018-8004?
Yes, patches for CVE-2018-8004 are included in the recommended upgrade versions of Apache Traffic Server.
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/apache
- canonical/apache traffic server
- version/apache traffic server/6.0.0
- version/apache traffic server/6.2.2
- version/apache traffic server/7.0.0
- version/apache traffic server/7.1.3
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0