Skip to content

Security Issues in Apache Traffic Server and Their Negative Impact

The Apache Software Foundation has recently released critical security updates to address several dangerous vulnerabilities discovered in its Apache Traffic Server (ATS) software.

These vulnerabilities allow attackers to manipulate server systems by crafting improperly structured requests, bypass authentication, and disrupt resource management.

The vulnerabilities affect ATS versions 9.0.0–9.2.8 and 10.0.0–10.0.3, and it is strongly recommended to immediately update to version 9.2.9 or 10.0.4 or later to ensure protection.

The key security vulnerabilities in Apache Traffic Server include:

1. HTTP Request Smuggling Attack (CVE-2024-38311)

This vulnerability was discovered by Ben Kallus and allows attackers to exploit inconsistencies in chunked transfer encoding processing within the HTTP/1.1 protocol.

Attackers can send specially crafted requests that Apache Traffic Server and backend servers interpret differently, leading to security bypasses.

Attack Method:

  • The attacker includes both the Transfer-Encoding: chunked and Content-Length headers in an incorrect order.
  • ATS misinterprets the request and forwards a smuggled HTTP request to the backend server.
  • This can lead to authentication bypass, security firewall evasion, and other security violations.

📌 High-Risk Scenarios:

  • Cloud services where web applications interact with ATS.
  • Attackers may execute hidden commands, bypassing security mechanisms such as authentication or web application firewalls.

2. Authorization Bypass via Intercept Plugin (CVE-2024-56195)

This vulnerability was discovered by Masaori Koshiba and highlights improper authorization checks in ATS Intercept Plugins.

🔴 Security Impact:

  • ATS Intercept Plugins are used to filter and modify network traffic.
  • However, they can be accessed by unauthorized users, allowing them to alter caching strategies or inject malicious content.

📌 Critical Risk Scenarios:

  • In multi-tenant infrastructures, where multiple clients share an ATS server, this vulnerability could allow unauthorized access to other users’ data.

3. ACL Rules Misconfiguration (CVE-2024-56196)

Security researcher Chris McFarlen discovered that ACL (Access Control List) rules in ATS 10.x do not function correctly.

🔴 Security Risks:

  • When upgrading from ATS 9.x to 10.x, old ACL rules may be misinterpreted.
  • As a result, previously blocked IP addresses may remain accessible, or permitted networks might be mistakenly restricted.

📌 Critical Scenarios:

  • If ACL rules are not properly adapted after an upgrade, firewalls and network policies may fail, leading to security breaches.
  • Attackers could bypass security barriers and directly attack backend servers.

4. Resource Exhaustion via “Expect” Header (CVE-2024-56202)

Security researcher David Carlin found that ATS fails to properly handle connections when clients send an Expect: 100-continue header but never complete the request.

🔴 Attack Method:

  • The attacker sends an HTTP request with the Expect: 100-continue header but never follows up with the actual request body.
  • ATS, by default, waits indefinitely, causing a denial of service due to resource exhaustion.

📌 High-Risk Scenarios:

  • This vulnerability can be exploited in DDoS attacks, where attackers overload ATS servers with half-open connections, causing them to crash.

The Apache Software Foundation has addressed these security issues in ATS versions 9.2.9 and 10.0.4. These updates:

✅ Prevent improper chunked encoding pipelining usage.
✅ Enforce authentication and ACL validation for Intercept Plugins.
✅ Fix issues related to misinterpreted ACL rules.
✅ Introduce a 30-second timeout for Expect: 100-continue connections.

Additional Security Measures:

🔹 Disable HTTP pipelining → Set proxy.config.http.server_pipeline to 0.
🔹 Apply additional IP restrictions for plugins → Modify security rules in plugin.config.
🔹 Increase timeout parameters → Set proxy.config.http.wait_for_timeout to 30000 milliseconds.
🔹 Use a Web Application Firewall (WAF) → Analyze incoming requests and block suspicious activities.

These vulnerabilities highlight that HTTP protocol-based exploits remain a serious threat. Similar issues were recently discovered in NGINX and HAProxy, proving that HTTP stack vulnerabilities are still a major security concern.

🛡 Organizations using Apache Traffic Server must update immediately and implement additional security measures. Otherwise, attackers could exploit these vulnerabilities, causing significant damage.