CVE-2020-9481 – Apache Traffic Server (ATS) versions 6.0.0-6.2.... (How to Fix)

Q: What is the severity of CVE-2020-9481?

CVE-2020-9481 has a CVSS score of 7.5 (HIGH). Apache Traffic Server (ATS) versions 6.0.0-6.2.3, 7.0.0-7.1.9, and 8.0.0-8.0.6 are vulnerable to HTTP/2 slow read attacks, which allow attackers to cause denial of service by exhausting server resources. This affects organizations using vulnerable ATS versions as HTTP/2 reverse proxies or caching servers. The vulnerability exploits HTTP/2 flow control mechanisms to create resource exhaustion.

📋 TL;DR

Apache Traffic Server (ATS) versions 6.0.0-6.2.3, 7.0.0-7.1.9, and 8.0.0-8.0.6 are vulnerable to HTTP/2 slow read attacks, which allow attackers to cause denial of service by exhausting server resources. This affects organizations using vulnerable ATS versions as HTTP/2 reverse proxies or caching servers. The vulnerability exploits HTTP/2 flow control mechanisms to create resource exhaustion.

💻 Affected Systems

Products:

Apache Traffic Server

Versions: 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6

Operating Systems: All platforms running affected ATS versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects HTTP/2 connections. HTTP/1.x connections are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with ATS becoming unresponsive, potentially affecting all downstream services and causing extended downtime.

🟠

Likely Case

Degraded performance, increased latency, and intermittent service disruptions affecting HTTP/2 traffic.

🟢

If Mitigated

Minimal impact with proper rate limiting, connection limits, and monitoring in place.

🌐 Internet-Facing: HIGH - HTTP/2 servers directly exposed to the internet are highly vulnerable to this attack.

🏢 Internal Only: MEDIUM - Internal services could still be affected but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

HTTP/2 slow read attacks are well-documented and tools exist to exploit similar vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.4, 7.1.10, 8.0.7

Vendor Advisory: https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E

Restart Required: Yes

Instructions:

1. Download patched version from Apache website. 2. Backup current configuration. 3. Stop ATS service. 4. Install patched version. 5. Restart ATS service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable HTTP/2

all

Temporarily disable HTTP/2 protocol support to mitigate the vulnerability

# Edit records.config and set CONFIG proxy.config.http2.enabled INT 0
# Then restart ATS: traffic_server -C restart

Limit HTTP/2 connections

all

Reduce maximum concurrent HTTP/2 connections to limit attack impact

# Edit records.config and adjust: CONFIG proxy.config.http2.max_concurrent_streams_in INT 100
# CONFIG proxy.config.http2.max_active_streams_in INT 100

🧯 If You Can't Patch

Implement rate limiting and connection throttling for HTTP/2 traffic
Deploy WAF or load balancer with HTTP/2 attack protection in front of ATS

🔍 How to Verify

Check if Vulnerable:

Check ATS version with: traffic_server -V | grep 'Apache Traffic Server'

Check Version:

traffic_server -V | grep 'Apache Traffic Server'

Verify Fix Applied:

Verify version is 6.2.4+, 7.1.10+, or 8.0.7+ and test HTTP/2 functionality

📡 Detection & Monitoring

Log Indicators:

Unusually high number of HTTP/2 connections
Increased connection timeouts
High memory usage alerts
Slow response times for HTTP/2 requests

Network Indicators:

Excessive HTTP/2 connections from single sources
Abnormal HTTP/2 flow control patterns
Sustained low-bandwidth HTTP/2 transfers

SIEM Query:

source="ats_logs" AND (http_version="2" AND (connection_duration > 30 OR bytes_sent < 100 AND bytes_received > 10000))

📊 Metadata

CVE ID: CVE-2020-9481

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 27, 2020

Last Updated: November 21, 2024

🔗 References

https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E Mailing List,Patch,Third Party Advisory
https://www.debian.org/security/2020/dsa-4672 Third Party Advisory
https://lists.apache.org/thread.html/r21ddaf0a4a973f3c43c7ff399ae50d2f858f13f87bd6a9551c5cf6db%40%3Cannounce.trafficserver.apache.org%3E Mailing List,Patch,Third Party Advisory
https://www.debian.org/security/2020/dsa-4672 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9481, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Traffic Server by Apache

Traffic Server by Apache

Traffic Server by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP/2

Limit HTTP/2 connections

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities