Denial of Service Vulnerability in Apache Traffic Control's Traffic Router Component
CVE-2017-7670

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Traffic Control
Vendor
CVE Published:
10 July 2017

What is CVE-2017-7670?

The Traffic Router component of Apache Traffic Control is susceptible to a Slowloris style Denial of Service attack. This vulnerability arises when TCP connections on the designated DNS port remain in an ESTABLISHED state until manually closed by the client or until a restart of the Traffic Router occurs. If connections persist and accumulate up to the limits set by the thread pool handling DNS requests, it may lead to the exhaustion of the pool. Consequentially, this leaves the Traffic Router incapable of processing any further DNS requests, regardless of the network transport protocol being used.

Affected Version(s)

Apache Traffic Control 1.8.0 incubating

Apache Traffic Control 2.0.0 RC0 incubating

References

https://lists.apache.org/thread.html/42b207e9f526353b5045...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/bb09fc29e9c2ee85b118...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r3c675031ac220b5eae6...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.