====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN227
_____________________________________________________________________

DATE                : 28/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Traffic Server versions
                                  prior to 7.1.10, 8.0.7.

=====================================================================
http://mail-archives.apache.org/mod_mbox/trafficserver-announce/202004.mbox/%3cB8EABE22-3B45-4857-9F16-3656173B5561@apache.org%3e
_____________________________________________________________________

Description:
ATS is vulnerable to a HTTP/2 slow read attack

CVE: CVE-2020-9481

Reported By: Masaori Koshiba

Vendor: The Apache Software Foundation


Version Affected:
ATS 6.0.0 to 6.2.3
ATS 7.0.0 to 7.1.9
ATS 8.0.0 to 8.0.6


Mitigation:
6.x users should upgrade to 7.1.10, 8.0.7, or later versions
7.x users should upgrade to 7.1.10 or later versions
8.x users should upgrade to 8.0.7 or later versions


References:
	Downloads:
		https://trafficserver.apache.org/downloads
		(Please use backup sites from the link only if the
                 mirrors are unavailable)
	CVE:
	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9481

-Bryan

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================