CVE-2019-17565
📋 TL;DR
Apache Traffic Server versions 6.0.0-6.2.3, 7.0.0-7.1.8, and 8.0.0-8.0.5 contain an HTTP request smuggling vulnerability via chunked encoding manipulation. This allows attackers to bypass security controls, poison caches, or hijack user sessions. Organizations running affected versions of Apache Traffic Server as reverse proxies or load balancers are at risk.
💻 Affected Systems
- Apache Traffic Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls, poison proxy caches with malicious content, hijack user sessions, or perform web cache deception attacks leading to credential theft.
Likely Case
Cache poisoning leading to users receiving malicious content, session hijacking, or bypassing security filters and access controls.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place, but still presents a significant security bypass risk.
🎯 Exploit Status
HTTP request smuggling attacks require understanding of HTTP protocol manipulation but are well-documented attack patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.9, 8.0.6, or later versions
Vendor Advisory: https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869@<announce.trafficserver.apache.org>
Restart Required: Yes
Instructions:
1. Download latest version from Apache Traffic Server website. 2. Stop the Traffic Server service. 3. Backup configuration files. 4. Install the patched version. 5. Restore configuration. 6. Start the service. 7. Verify functionality.
🔧 Temporary Workarounds
Disable chunked encoding
allConfigure Traffic Server to reject or normalize chunked encoding requests
# Add to records.config:
CONFIG proxy.config.http.chunking_enabled INT 0
🧯 If You Can't Patch
- Implement WAF rules to detect and block HTTP request smuggling attempts
- Monitor logs for unusual chunked encoding patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Traffic Server version with: traffic_server -vCheck Version:
traffic_server -vVerify Fix Applied:
Verify version is 7.1.9+, 8.0.6+, or not in affected ranges📡 Detection & Monitoring
Log Indicators:
- Multiple requests from single connection with chunked encoding anomalies
- Unexpected cache hits/misses patterns
- HTTP 400 errors with chunked encoding
Network Indicators:
- Unusual chunked transfer encoding patterns
- HTTP requests with malformed chunk sizes
- Requests that appear to contain multiple HTTP messages
SIEM Query:
source="traffic_server" AND ("chunked" OR "transfer-encoding") AND (status=400 OR "malformed")🔗 References
- https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E
- https://www.debian.org/security/2020/dsa-4672
- https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E
- https://www.debian.org/security/2020/dsa-4672
