Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

November 20 Advisory: Apache Traffic Server Vulnerabilities [CVE-2024-38479, CVE-2024-50305, CVE-2024-50306]

Date of Disclosure: November 13, 2024
Date added to CISA KEV: N/A

The Apache Software Foundation has released critical security updates for Apache Traffic Server, addressing three vulnerabilities that could expose users to various cyber threats. These flaws, affecting versions 8.0.0 through 8.1.11, 9.0.0 through 9.2.5  and 10.0.0 through 10.0.1, include risks such as cache poisoning, application crashes, and potential privilege escalation. 

CVE-2024-38479 involves improper input validation in Apache Traffic Server’s cache key plugin, enabling potential cache poisoning attacks. An attacker could manipulate cache behavior by crafting specific inputs, leading to incorrect content delivery or data leakage. 

CVE-2024-50305 is a denial of service vulnerability in Apache Traffic Server that allows a crafted Host header field to cause the application to crash on certain platforms, potentially allowing attackers to disrupt the availability of the server.

CVE-2024-50306 arises from an unchecked return value during Apache Traffic Server’s startup process, which could allow the server to retain elevated privileges unintentionally.

In typical deployments, Apache Traffic Server is publicly accessible to facilitate content delivery. However, this exposure can increase its attack surface, especially if configurations are improper, versions are outdated, or access controls are insufficient. To mitigate potential security risks, it is crucial to regularly update the server and implement robust access controls to secure its management and data interfaces.

 

Field Details
CVE-ID CVE-2024-38479 – CVSS 7.5 (High) assigned by CISA-ADP CVE-2024-50305 – CVSS 7.5 (High) assigned by CISA-ADP CVE-2024-50306 – CVSS 9.1 (Critical) assigned by CISA-ADP
Vulnerability Description Improper Input Validation vulnerability in Apache Traffic Server. Valid Host header field can cause Apache Traffic Server to crash on some platforms. Unchecked return value can allow Apache Traffic Server to retain privileges on startup.
Date of Disclosure November 13, 2024
Affected Assets Apache Traffic Server 
Vulnerable Software Versions 
  • 8.0.0 – 8.1.11 ( CVE-2024-38479 )
  • 9.0.0 – 9.2.5 ( CVE-2024-38479, CVE-2024-50305, CVE-2024-50306 )
  • 10.0.0 – 10.0.1 ( CVE-2024-50306 ) 
PoC Available? No PoC available at the time of writing.
Exploitation Status At the time of writing, none of these CVEs were published in CISA’s list of known exploited vulnerabilities or observed in GreyNoise.
Patch Status The Apache Software Foundation has urged users to upgrade to 9.2.6 or 10.0.2 depending on your current version.

Censys Perspective

At the time of writing, Censys observed 7,623 exposed Apache Traffic Server instances online. A large proportion of these (79%) are geolocated in China. Censys observed about 76% of the exposed instances to be associated with China Telecom (ASN 4134), one of the largest telecommunications companies in China. Note that not all of these are necessarily vulnerable, as specific versions are not always available.

Map of exposed Apache Traffic Server instances:

Censys Search Query:

services.software: (vendor="Apache" and product="Traffic Server")

Censys ASM Query:

host.services.software.vendor = "Apache" and host.services.software.product= "Traffic Server"

References

Attack Surface Management Solutions
Learn more