CVE-2024-50306: 
Apache Traffic Server vulnerability analysis and mitigation

Apache Traffic Server has been identified with a critical security vulnerability (CVE-2024-50306) related to privilege retention during startup. The vulnerability affects Apache Traffic Server versions from 9.2.0 through 9.2.5 and from 10.0.0 through 10.0.1. This security flaw was discovered by Jeffrey BENCTEUX and publicly disclosed on November 13, 2024 (Apache List, OSS Security).

The vulnerability stems from an unchecked return value during Apache Traffic Server's startup process, which could allow the server to retain elevated privileges unintentionally. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 9.1 (Critical) by CISA-ADP, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. The issue has been classified under CWE-252 (Unchecked Return Value) (Censys Report, NVD).

The vulnerability's impact is significant as it affects the privilege management of the Apache Traffic Server. According to Censys observations, there are approximately 7,623 exposed Apache Traffic Server instances online, with 79% of these instances geolocated in China. About 76% of the exposed instances are associated with China Telecom (ASN 4134) (Censys Report).

The Apache Software Foundation has released patches to address this vulnerability. Users running version 9.x are strongly recommended to upgrade to version 9.2.6 or later, while users on version 10.x should upgrade to version 10.0.2 or later. The fixes have been implemented through commits 27f504883547502b1f5e4e389edd7f26e3ab246f (9.2.6-rc0) and ae638096e259121d92d46a9f57026a5ff5bc328b (master) (Debian Security).