CVE-2024-35161 is a critical vulnerability classified under CWE-444, involving inconsistent interpretation of HTTP requests, commonly known as HTTP request smuggling. The vulnerability exists in Apache Traffic Server versions 8.0.0 through 8.1.10 and 9.0.0 through 9.2.4, where the server improperly forwards malformed HTTP chunked trailer sections to origin servers. HTTP chunked transfer encoding allows data to be sent in chunks, with an optional trailer section for metadata. In this case, Apache Traffic Server does not correctly handle or sanitize the chunked trailer section, forwarding malformed trailers to backend servers. This discrepancy can be exploited by attackers to smuggle crafted HTTP requests that bypass security controls, leading to request smuggling attacks. Such attacks can allow an attacker to desynchronize the front-end proxy and the backend server’s interpretation of HTTP requests, enabling malicious requests to be injected or legitimate requests to be manipulated. Additionally, if the origin servers are vulnerable, this can lead to cache poisoning, where malicious content is cached and served to other users, undermining data integrity and confidentiality. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, increasing its severity. Apache has introduced a new configuration setting, proxy.config.http.drop_chunked_trailers, allowing administrators to drop chunked trailers to mitigate the issue. The definitive fix is provided in Apache Traffic Server versions 8.1.11 and 9.2.5, which properly handle the chunked trailer sections to prevent request smuggling. No known exploits are currently reported in the wild, but the high CVSS score of 9.1 reflects the critical nature of this vulnerability and the potential for significant impact if exploited.

For European organizations, this vulnerability poses a significant risk to web infrastructure relying on Apache Traffic Server as a reverse proxy or caching server. Successful exploitation can lead to unauthorized request injection, bypassing security controls such as web application firewalls or authentication mechanisms. This can compromise the confidentiality of sensitive data by exposing internal requests or enabling session hijacking. Integrity is threatened through cache poisoning, where malicious or altered content is served to users, potentially spreading malware or misinformation. Availability impact is limited but may occur if backend servers become unstable due to malformed requests. Given the critical CVSS score and the lack of required authentication, attackers can remotely exploit this vulnerability at scale. Organizations in sectors such as finance, government, healthcare, and telecommunications, which heavily rely on secure and reliable web services, are particularly at risk. The vulnerability also undermines trust in web services and can lead to regulatory compliance issues under GDPR if personal data is exposed or manipulated.

European organizations should immediately upgrade Apache Traffic Server to versions 8.1.11 or 9.2.5 where the vulnerability is fixed. Until upgrades can be applied, administrators should enable the proxy.config.http.drop_chunked_trailers setting to prevent forwarding of chunked trailer sections, reducing the attack surface. Conduct thorough audits of all proxy and caching configurations to ensure no legacy or custom modules reintroduce similar parsing inconsistencies. Implement strict input validation and HTTP request normalization on both proxy and origin servers to detect and block malformed requests. Monitor web traffic for anomalies indicative of request smuggling attempts, such as unexpected request lengths or header inconsistencies. Employ layered security controls including web application firewalls configured to detect HTTP request smuggling patterns. Regularly review and update incident response plans to include scenarios involving HTTP request smuggling and cache poisoning. Finally, maintain up-to-date inventories of all Apache Traffic Server deployments to ensure timely patch management and vulnerability tracking.