CVE-2018-8005
First published: Tue Aug 28 2018(Updated: )
When there are multiple ranges in a range request, Apache Traffic Server (ATS) will read the entire object from cache. This can cause performance problems with large objects in cache. This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x users should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/trafficserver | 8.0.2+ds-1+deb10u6 8.1.7-0+deb10u2 8.1.7+ds-1~deb11u1 9.2.0+ds-2+deb12u1 9.2.2+ds-1 | |
| Apache Traffic Server | >=6.0.0<=6.2.2 | |
| Apache Traffic Server | >=7.0.0<=7.1.3 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.openwall.com/lists/oss-security/2018/08/29/4
- https://github.com/apache/trafficserver/pull/3106
- https://github.com/apache/trafficserver/pull/3124
- https://github.com/apache/trafficserver/commit/bbcbb7cf7f25ebfe3a97d792e889de618e41a6a4
- https://security-tracker.debian.org/tracker/CVE-2018-8005
- http://www.securityfocus.com/bid/105187
- https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca@%3Cusers.trafficserver.apache.org%3E
- https://www.debian.org/security/2018/dsa-4282
- https://lists.apache.org/thread.html/55d225af92887bfed0194400fd1b718622cca4140fc7318d982e25ca%40%3Cusers.trafficserver.apache.org%3E
Frequently Asked Questions
What is CVE-2018-8005?
CVE-2018-8005 is a vulnerability in Apache Traffic Server that can cause performance problems when there are multiple ranges in a range request.
Which versions of Apache Traffic Server are affected?
Versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3 of Apache Traffic Server are affected.
How can the performance problems be resolved?
To resolve this issue, users running version 6.x should upgrade to version 8.0.2+ds-1+deb10u6 or higher.
Is there a fix available for Apache Traffic Server version 7.x?
Yes, users running version 7.x should upgrade to version 8.1.7-0+deb10u2 or higher.
Where can I find more information about CVE-2018-8005?
You can find more information about CVE-2018-8005 at the following references: [Reference 1](https://www.openwall.com/lists/oss-security/2018/08/29/4), [Reference 2](https://github.com/apache/trafficserver/pull/3106), [Reference 3](https://github.com/apache/trafficserver/pull/3124).
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/apache
- canonical/apache traffic server
- version/apache traffic server/6.0.0
- version/apache traffic server/6.2.2
- version/apache traffic server/7.0.0
- version/apache traffic server/7.1.3
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0