Lucene search

[email protected]CVE-2017-7670

HistoryJul 10, 2017 - 6:29 p.m.

CVE-2017-7670

2017-07-1018:29:00

CWE-400

[email protected]

web.nvd.nist.gov

cve-2017-7670

apache traffic control

traffic router

denial of service

slowloris

nvd

security advisory

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

55.8%

JSON

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is restarted. If connections remain in the ESTABLISHED state indefinitely and accumulate in number to match the size of the thread pool dedicated to processing DNS requests, the thread pool becomes exhausted. Once the thread pool is exhausted, Traffic Router is unable to service any DNS request, regardless of transport protocol.

Affected configurations

NVD

Node

apachetraffic_controlRange≤1.8.0

apachetraffic_controlMatch1.8.1rc0

apachetraffic_controlMatch2.0.0rc1

apachetraffic_controlMatch2.0.0rc2

apachetraffic_controlMatch2.0.0rc3

apachetraffic_controlMatch2.0.0rc4

apachetraffic_controlMatch2.0.0rc5

apachetraffic_controlMatch2.0.0rc6

CPENameOperatorVersion
apache:traffic_controlapache traffic controlle1.8.0
apache:traffic_controlapache traffic controleq1.8.1
apache:traffic_controlapache traffic controleq2.0.0

CPE	Name	Operator	Version
apache:traffic_control	apache traffic control	le	1.8.0
apache:traffic_control	apache traffic control	eq	1.8.1
apache:traffic_control	apache traffic control	eq	2.0.0

CNA Affected

[
  {
    "product": "Apache Traffic Control",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "1.8.0 incubating"
      },
      {
        "status": "affected",
        "version": "2.0.0 RC0 incubating"
      }
    ]
  }
]

References

lists.apache.org/thread.html/42b207e9f526353b504591684bd02a5e9fcb4b8f28534253d07740a0%40%3Cusers.trafficcontrol.apache.org%3E

lists.apache.org/thread.html/bb09fc29e9c2ee85b118a3d5748a8a523d30cf691ff8b606c6a1748c%40%3Ccommits.trafficcontrol.apache.org%3E

lists.apache.org/thread.html/r3c675031ac220b5eae64a9c84a03ee60045c6045738607dca4a96cb8%40%3Ccommits.trafficcontrol.apache.org%3E

Social References

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

55.8%

JSON

Related for CVE-2017-7670

osv2 prion1 github1 cvelist1 nvd1 gitlab1