Описание
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.
A flaw was found in the Varnish cache server, with HTTP/2 support enabled, that may allow a Denial of Service type of attack. A malicious actor can cause the server to run out of credits during the HTTP/2 connection control flow. As a consequence, the server will stop to properly process the active HTTP streams, retaining the already allocated resources, leading to resource starvation.
Отчет
CVE-2024-30156 represents a important severity issue due to its potential to cause widespread denial of service (DoS) across Varnish Cacher servers with HTTP/2 protocol enabled. By exploiting this vulnerability, attackers can exhaust the server's HTTP/2 connection control flow window credits, thereby halting the processing of streams and indefinitely retaining associated resources. This can lead to a complete service outage, impacting the availability and performance of web services relying on Varnish Cache. Given the prevalence of HTTP/2 adoption for its performance benefits, the vulnerability poses a significant risk to web infrastructure, necessitating immediate mitigation measures to prevent exploitation and mitigate the impact on affected systems.
Меры по смягчению последствий
A possible mitigation for this issue is to disable http2 support until the package can be updated. This can be performed by running the following command:
Note: you must remove h2 from the list of protocols if your TLS terminator is advertising it with ALPN.
It's also possible to use the MAIN.sc_bankrupt counter to monitor possible on-going attacks to the varnish server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | varnish | Not affected | ||
| Red Hat Enterprise Linux 10 | varnish-modules | Not affected | ||
| Red Hat Enterprise Linux 9 | varnish-modules | Not affected | ||
| Red Hat Software Collections | rh-varnish6-jemalloc | Not affected | ||
| Red Hat Enterprise Linux 8 | varnish | Fixed | RHSA-2024:1690 | 08.04.2024 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | varnish | Fixed | RHSA-2024:4937 | 31.07.2024 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | varnish | Fixed | RHSA-2024:2938 | 21.05.2024 |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | varnish | Fixed | RHSA-2024:2938 | 21.05.2024 |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | varnish | Fixed | RHSA-2024:2938 | 21.05.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | varnish | Fixed | RHSA-2024:3426 | 28.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.
EPSS
7.5 High
CVSS3