CVE-2017-7670

CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

7.5HIGH

EPSS

1.7%

top 17.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apache/trafficcontrol Apache Traffic Control Apache Software Foundation Apache Traffic Control

Timeline

PublishedJul 10

Latest updateMay 13

Description

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is restarted. If connections remain in the ESTABLISHED state indefinitely and accumulate in number to match the size of the thread pool dedicated to processing DNS requests, the thread pool becomes exhausted.…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/apache/trafficcontrol1.1.4 — 1.8.1+4

▶NVDapache/traffic_control1.8.0+2

▶CVEListV5apache_software_foundation/apache_traffic_control1.8.0 incubating, 2.0.0 RC0 incubating+1

🔴Vulnerability Details

GHSA

Apache Traffic Control vulnerable to Slowloris-style Denial of Service attack↗2022-05-13

▶

OSV

Apache Traffic Control vulnerable to Slowloris-style Denial of Service attack↗2022-05-13

▶

CVEList

CVE-2017-7670: The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack↗2017-07-10

▶