Описание
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
A flaw was found in the way Varnish parsed certain HTTP/1 requests. A remote attacker could use this flaw to crash Varnish by sending specially crafted multiple HTTP/1 requests processed on the same HTTP/1 keep-alive connection. This causes Varnish to restart with a clean cache, causing a denial of service.
Отчет
This is a remote denial of service flaw in varnish cache application. It causes varnish to restart, with a clean cache, since the purpose of varnish is to cache web pages thereby improving overall web server performance, an attacker can cause web performance to degrade due to this attack.
Меры по смягчению последствий
This flaw can be mitigated by using making changes in varnish configuration by using VCL (Varnish Configuration Language). More details available at: https://varnish-cache.org/security/VSV00003-mitigation.html#vsv00003-mitigation
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Software Collections | rh-varnish5-varnish | Not affected | ||
| Red Hat Enterprise Linux 8 | varnish | Fixed | RHSA-2020:4756 | 04.11.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-varnish6 | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-varnish6-varnish | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-varnish6-varnish-modules | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-varnish6 | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-varnish6-varnish | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-varnish6-varnish-modules | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-varnish6 | Fixed | RHEA-2020:2262 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-varnish6-varnish | Fixed | RHEA-2020:2262 | 26.05.2020 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x a ...
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.
7.5 High
CVSS3