Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
H
homepage
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
homepage
Commits
2fb17f47
Commit
2fb17f47
authored
Nov 15, 2017
by
Poul-Henning Kamp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
VSV00002
parent
e5b14eda
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
98 additions
and
1 deletion
+98
-1
index.rst
R1/source/index.rst
+10
-0
VSV00002.rst
R1/source/security/VSV00002.rst
+86
-0
index.rst
R1/source/security/index.rst
+2
-1
No files found.
R1/source/index.rst
View file @
2fb17f47
...
...
@@ -8,6 +8,16 @@ Varnish HTTP Cache
What is happening
-----------------
2017-11-15 - Security Advisory: (Unlikely) data leak
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Certain uncommon configurations of Varnish may leak data in
synthetic responses from `vcl_backend_error{}`
Please see :ref:`vsv00002`
We have released Varnish 4.1.9 and 5.2.1 to fix this issue.
2017-09-15 - Varnish 5.2.0 is released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
...
R1/source/security/VSV00002.rst
0 → 100644
View file @
2fb17f47
.. _vsv00002:
VSV00002 Data leak - '-sfile' Stevedore transient objects
=========================================================
`CVE-2017-8807 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8807>`_
Date: 2017-11-15
A wrong if statement in the varnishd source code means that synthetic
objects in stevedores which over-allocate, may leak up to page size of
data from a malloc(3) memory allocation.
In a unpredictable percentage of the cases where this condition
arises, a segmentation fault will happen instead.
All the following conditions are required to trigger the problem:
* A `-sfile` or `-spersistent` stevedore must be configured
* A synthetic object must be created in `vcl_backend_error{}`
* The synthetic object ends up in the `file` or `persistent` stevedore.
For the third condition can arise in two different ways:
* The stevedore named `Transient` is configured as `-sfile` or `-spersistent`
(The default is `-smalloc`)
* The default stevedore is `-sfile` or `-spersistent` and the synthetic
object is given a TTL larger than the `shortlived` parameter
(default: 10 seconds.)
It is not inconceiveable that an attack can provoke this situation
on vulnerable varnishd instances, where the leaked memory contains
confidential data and therefore we have classified this as a security
vulnerability.
Mitigation is possible from VCL or by updating to a fixed version
of Varnish Cache.
Versions affected
-----------------
* 4.1.0 to 5.2.0
Versions not affected
---------------------
* All releases up to but not including 4.1.0
* Varnish Cache Plus from Varnish Software.
Fixed in
--------
* 4.1.9 and forward
* 5.2.1 and forward
Mitigation from VCL
-------------------
Do not configure the Transient storage with `-sfile` or `-spersistent`
stevedores.
Do not assign ttls longer than the parameter `shortlived` in
`vcl_backend_error{}`
Source code fix
~~~~~~~~~~~~~~~
https://github.com/varnishcache/varnish-cache/commit/176f8a075a
Thankyous and credits
~~~~~~~~~~~~~~~~~~~~~
Github user @shamger submitted a fix for the segmentation fault issue.
Carlo Cannas of Altervista.org pointed out that the data-leak was
a security issue.
Martin and Espen from Varnish Software has done most of the work
on this security incident.
And yes: I apologize for getting the code wrong in the first place.
*phk*
R1/source/security/index.rst
View file @
2fb17f47
Security, bugs & vulnerabilities
================================
* Rev. 2018-
08-02
*phk*
* Rev. 2018-
11-15
*phk*
.. toctree::
:maxdepth: 1
VSV00002.rst
VSV00001.rst
We take security and quality *very* seriously in the Varnish project,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment