Apache Traffic Server PROXY Protocol ACL Bypass Vulnerability

A vulnerability exists in Apache Traffic Server (ATS) versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5, where the Access Control List (ACL) does not properly utilize IP addresses provided by the PROXY protocol. This can lead to unintended access control behavior. Users can configure which IP addresses to use for ACLs by setting 'proxy.config.acl.subjects' when PROXY protocol is enabled. The issue arises because the default behavior does not account for PROXY protocol headers, potentially allowing unauthorized access or actions.

Impact

Exploitation of this vulnerability can result in improper ACL enforcement, allowing clients to bypass intended access controls based on IP addresses.

Remediation

Users of Apache Traffic Server should upgrade to version 9.2.11 or 10.0.6. After upgrading, those who use the PROXY protocol must configure the 'proxy.config.acl.subjects' setting to ensure proper ACL functionality. For users of the ESI plugin, the '--max-inclusion-depth' setting can be adjusted to prevent memory exhaustion issues.