Page MenuHomePhabricator

Backport ATS 8.1.2 security fixes to our in-house ATS 8.0.8
Closed, ResolvedPublicSecurity

Description

Per https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E ATS 8.1 ships the following security fixes:

CVE-2021-27577 Incorrect handling of url fragment leads to cache poisoning
CVE-2021-32565 HTTP Request Smuggling, content length with invalid charters
CVE-2021-32566 Specific sequence of HTTP/2 frames can cause ATS to crash
CVE-2021-32567 Reading HTTP/2 frames too many times
CVE-2021-35474 Dynamic stack buffer overflow in cachekey plugin

Sadly we don't have a clear upgrade path from our current ATS 8.0.8 to ATS 8.1.2 as the last time we tried an ATS 8.1 build we observed serious performance drawbacks on ATS backend

Details

Author Affiliation
WMF Technology Dept

Event Timeline

Vgutierrez edited projects, added Traffic, SRE; removed Security-Team.
Vgutierrez claimed this task.

All cp servers are now running ATS 8.0.8-1wm4:

===== NODE GROUP =====                                                                                                                                                            
(76) cp[2027-2042].codfw.wmnet,cp[1075-1090].eqiad.wmnet,cp[5001-5016].eqsin.wmnet,cp[3050-3065].esams.wmnet,cp[4021-4032].ulsfo.wmnet                                            
----- OUTPUT of 'apt-cache policy...r|grep Installed' -----                                                                                                                       
  Installed: 8.0.8-1wm4
ema changed the edit policy from "Custom Policy" to "All Users".Jun 28 2021, 11:31 AM
ema changed the visibility from "Custom Policy" to "Public (No Login Required)".