====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN046
_____________________________________________________________________

DATE                : 26/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache Traffic Control versions
                                prior to 4.1.1, 5.0.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/trafficcontrol-dev/202101.mbox/%3cCAMAKGdBUVjtHQTnRS-AGqV+bH1+2wpZ9cpyUMZt2NvwE5svB4g@mail.gmail.com%3e
_____________________________________________________________________


 CVE-2020-17522: Mid Tier Cache Manipulation Attack

Severity: Important

Vendor:
The Apache Software Foundation


Versions Affected:
Traffic Control 3.0.0 to 3.1.0
Traffic Control 4.0.0 to 4.1.0
The unsupported Traffic Control 3.x versions may be also affected


Description:
When ORT (now via atstccfg) generates ip_allow.config
files, those files include permissions that allow bad actors to push
arbitrary content into and remove arbitrary content from CDN cache servers.
Additionally, these permissions are potentially extended to IP addresses
outside the desired range, resulting in them being granted to clients
possibly outside the CDN arcitechture.


Mitigation:
3.x users should upgrade to 4.1.1, 5.0.0, or later versions
4.0.x and 4.1.0 users should upgrade to 4.1.1 or later versions


Credit:
This issue was discovered by Chris Lemmons of Comcast.


References:
https://trafficcontrol.apache.org/security/

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================