Background Print only logo
Cert logo
suomeksi | på svenska
Home Page | Advice | Reports | Activities |


P.O. Box 313
FI-00181 Helsinki
Phone: +358 295 390 230 (lnf/mcf)

PGP keys

Finnish Communications Regulatory Authority (FICORA):

Itämerenkatu 3 A
P. O. Box 313
Phone: +358 259 390 100 (lnf/mcf)

Detailed contact information

Home Page > Reports > 2012 > CERT-FI Advisory on Apache Traffic Server

CERT-FI Advisory on Apache Traffic Server

Target- servers and server applications

Access Vector - remote
- no user interaction required
- no authentication required

Impact- denial of service
- potential code execution

Remediation- fix provided by vendor


A heap overflow vulnerability has been found in the HTTP (Hypertext Transfer Protocol) protocol handling of Apache Traffic Server. The vulnerability allows an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified HTTP message to an affected server.

Vulnerability Coordination Information and Acknowledgements

The vulnerability was found by the Codenomicon CROSS project using the Codenomicon HTTP Server Test Suite. CERT-FI would like to thank
Codenomicon and the Apache Traffic Server developer community for co-operation in the remediation efforts.

Vendor Information

  • Apache Traffic Server 3.0.2 and all previous 2.0.x and 3.0.x versions
  • Apache Traffic Server 3.1.2 and all previous 2.1.x and 3.1.x versions


Patch the vulnerable software components according to the guidance published by the vendor.


Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Please quote the advisory reference [FICORA #612884] in the subject line

+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Vulnerability Coordination
P.O. Box 313
FI-00181 Helsinki

CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at

The CERT-FI vulnerability coordination policy can be viewed at

Revision History

22 Mar 2012, 18:59 UTC: Published

Page updated 11.05.2012   Print version Print version