CVE-2024-50305: 
Apache Traffic Server vulnerability analysis and mitigation

Apache Traffic Server has been identified with a vulnerability (CVE-2024-50305) where a valid Host header field can trigger crashes on certain platforms. This vulnerability affects Apache Traffic Server versions from 9.2.0 through 9.2.5. The issue was disclosed on November 13, 2024, and was reported by Masakazu Kitajo (Apache List, Openwall).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) by CISA-ADP with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified under CWE-20 (Improper Input Validation) by Apache Software Foundation and CWE-120 (Buffer Copy without Checking Size of Input) by CISA-ADP (NVD).

The vulnerability can result in a denial-of-service condition, allowing attackers to disrupt website availability and impact legitimate users. When exploited, the crafted Host header field can cause the application to crash on certain platforms, affecting the server's availability (SecurityOnline, Censys).

Users are strongly recommended to upgrade to Apache Traffic Server version 9.2.6, which contains the fix for this vulnerability. Alternatively, users can upgrade to version 10.0.2, which is not affected by this issue (NVD, Censys).

Censys reports that there are 7,623 exposed Apache Traffic Server instances online, with approximately 79% of these instances geolocated in China. About 76% of the exposed instances are associated with China Telecom (ASN 4134) (Censys).