Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Apache Traffic Server Vendors:   Apache Software Foundation
Apache Traffic Server Host Header Processing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1026847
SecurityTracker URL:
CVE Reference:   CVE-2012-0256   (Links to External Site)
Date:  Mar 23 2012
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.0.4 and 3.1.3
Description:   A vulnerability was reported in Apache Traffic Server. A remote user can cause denial of service conditions.

A remote user can send a request with a specially crafted 'Host' header value to trigger a heap allocation error and cause the target service to crash.

The Codenomicon CROSS project reported this vulnerability via CERT-FI.

Impact:   A remote user can cause the target service to crash.
Solution:   The vendor has issued a fix (3.0.4, 3.1.3).
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [ANNOUNCE] Apache Traffic Server releases for security incident CVE-2012-0256


Below is our announcement for the security issue reported to us from 
Codenomicon, via CERT-FI. All previous versions of Apache Traffic Server are 
vulnerable, and we urge users to upgrade to either v3.0.4 or v3.1.3 
immediately. Both releases are available from our download site at

In addition to fixing the CVE-2012-0256 issue, both releases include various 
other bug fixes. For more details on those fixes, please visit the download 
site above.

We like to thank everyone involved with reporting and working on this 
incident. The CERT-FI announcement will be made available soon at


-- Leif, on behalf of the Apache Traffic Server community

CVE-2012-0256: Apache Traffic Server host header vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: All stable Apache Traffic Server versions released
before v3.0.4, as well as all development releases prior to v3.1.3.

Description: A request with a very large Host: header can cause the server
to crash. This is a heap allocation issue.

Mitigation: All v2.0.x and v3.0.x users should upgrade to v3.0.4. Users of
the current development releases, v3.1.x, should upgrade to v3.1.3.

Credit: This issue was discovered by the Codenomicon CROSS project, and
reported to Apache via CERT-FI.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC