Denial of Service Vulnerability in Apache Traffic Control's Traffic Router Component
CVE-2017-7670
7.5HIGH
Summary
The Traffic Router component of Apache Traffic Control is susceptible to a Slowloris style Denial of Service attack. This vulnerability arises when TCP connections on the designated DNS port remain in an ESTABLISHED state until manually closed by the client or until a restart of the Traffic Router occurs. If connections persist and accumulate up to the limits set by the thread pool handling DNS requests, it may lead to the exhaustion of the pool. Consequentially, this leaves the Traffic Router incapable of processing any further DNS requests, regardless of the network transport protocol being used.
Affected Version(s)
Apache Traffic Control 1.8.0 incubating
Apache Traffic Control 2.0.0 RC0 incubating
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved