Apache Traffic Server Vulnerabilities Let Attackers Perform Malformed Requests

The Apache Software Foundation has issued urgent patches for multiple high-severity vulnerabilities in Apache Traffic Server (ATS), its enterprise-grade caching proxy server.

Four distinct flaws (CVE-2024-38311, CVE-2024-56195, CVE-2024-56196, and CVE-2024-56202) enable threat actors to execute request smuggling attacks, bypass access controls, and disrupt resource management. 

Affected versions include ATS 9.0.0–9.2.8 and 10.0.0–10.0.3, with mitigations requiring immediate upgrades to 9.2.9+ or 10.0.4+.

Apache Traffic Server Vulnerabilities

HTTP Request Smuggling via Chunked Encoding Pipelining (CVE-2024-38311)

Discovered by Ben Kallus, this vulnerability exploits inconsistencies in ATS’s handling of HTTP/1.1 chunked transfer encoding when processing pipelined requests. 

Attackers can craft dual-purpose byte sequences that ATS interprets differently than backend servers, enabling request smuggling. 

For example, a malformed Transfer-Encoding: chunked header followed by a Content-Length header and strategically placed CRLF sequences allows payload splitting across HTTP transactions.

Intercept Plugin Authorization Bypass (CVE-2024-56195)

Masaori Koshiba identified that ATS intercept plugins – components modifying traffic midstream – lacked proper access control lists (ACLs). 

This permits unauthenticated users to invoke plugins designed for administrative functions, potentially manipulating cache policies or injecting malicious content. The flaw stems from missing remap.config validations for plugin-triggered requests.

Legacy ACL Compatibility Breakdown (CVE-2024-56196)

Chris McFarlen uncovered regression errors in ATS 10.x’s ACL implementation, causing rule mismatches with older cache.config syntax. 

Systems upgrading from v9.x without rewriting ACLs might inadvertently allow blocked IP ranges or disallow legitimate traffic due to incorrect pattern parsing in src_ip and dst_domain directives.

Expect Header Resource Exhaustion (CVE-2024-56202)

David Carlin demonstrated that ATS improperly retains connection resources when clients send Expect: 100-continue headers but never transmit payloads. 

Attackers exploit this by flooding servers with incomplete requests, creating denial-of-service conditions through socket exhaustion. The server fails to timeout these half-open connections under default configurations.

Impact Assessment and Attack Surface

These vulnerabilities collectively affect all ATS deployments using reverse proxy configurations or serving HTTP/1.1 traffic. 

CVE-2024-38311 poses particular risk for cloud environments where ATS fronts web applications, as smuggled requests can bypass authentication and security headers. 

Security teams should prioritize patching intercept plugin vulnerabilities (CVE-2024-56195) in multi-tenant setups, where plugin misuse could facilitate cross-tenant data leaks.

The ACL regression (CVE-2024-56196) introduces silent failures – updated systems appear functional but enforce incorrect network policies.

Organizations maintaining hybrid v9.x/v10.x clusters face asymmetric rule application until full upgrades.

Mitigation Strategies and Patch Implementation

The Apache Foundation released hotfixes in ATS 9.2.9 and 10.0.4 that:

• Reject pipelined requests containing chunked bodies via stricter HTTP state machine validation
• Require remap.config entries to explicitly enable intercept plugins with ACL checks
• Restore legacy ACL pattern matching using dual parsers with version detection
• Implement 30-second timeouts for Expect: 100-continue handshakes

Administrators must audit plugin configurations and validate ACL rule parity across versions. For systems requiring delayed patching, temporary workarounds include:

• Disabling HTTP pipelining via proxy.config.http.server_pipeline
• Adding manual IP restrictions to plugin.config
• Setting proxy.config.http.wait_for_timeout to 30000 milliseconds

These vulnerabilities highlight persistent challenges in maintaining protocol compliance during performance optimization. The request smuggling vector mirrors recent flaws in NGINX and HAProxy, suggesting broader HTTP stack vulnerabilities. 

Organizations relying on ATS for critical infrastructure should implement web application firewalls with protocol anomaly detection as secondary safeguards. 

The Apache Foundation has committed to enhancing its fuzzing framework to prevent similar regressions in future releases.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free