VSV00012

R1/source/conf.py

@@ -47,7 +47,7 @@ master_doc = 'index'
 
 # General information about the project.
 project = u'Varnish Cache Project'
-copyright = u'2016,2017, Poul-Henning Kamp'
+copyright = u'2016-2023, Poul-Henning Kamp'
 author = u'Poul-Henning Kamp'
 
 # The version info for the project you're documenting, acts as replacement for

R1/source/security/VSV00012.rst

+.. _VSV00012:
+
+VSV00012 Base64 decoding vulnerability in vmod-digest
+=====================================================
+
+Date: 2023-08-17
+
+A base64 decoding vulnerability has been discovered in vmod-digest.
+
+The potential outcome of the vulnerability can be both authentication
+bypass and information disclosure, however the exact attack surface
+will depend on the particular VCL configuration in use.
+
+Common usage of vmod-digest is for basic HTTP authentication, in which
+case it may be possible for an attacker to circumvent the
+authentication check. If the decoded result string is somehow being
+made visible to the attacker (for example the result of the decoding
+is added to a response header), then there is the potential for
+information disclosure from reading out of band workspace data.
+
+Mitigation is possible from VCL by using vmod-blob instead of
+vmod-digest for base64 decoding, or by updating to a fixed version of
+vmod-digest.
+
+Vmod-digest is a 3rd party VMOD, maintained and distributed
+by Varnish Software, but since it was one of the first VMODs
+and has seen very wide deployment, we consider this vulnerability
+important enough to issue a VSV, even though no code maintained
+by the Varnish Cache Project is involved.
+
+Varnish Software's description of this vulnerability can be
+found at: https://docs.varnish-software.com/security/VSV00012/
+
+Versions affected
+-----------------
+
+* libvmod-digest built on source code prior to 2023-08-17.
+
+Versions not affected
+---------------------
+
+* libvmod-digest version 1.0.3 (released 2023-08-17)
+
+Users of the Varnish Enterprise product from Varnish Software: See the
+email you received from V-S.
+
+Mitigation from VCL
+-------------------
+
+If upgrading vmod-digest is not possible, it is possible to mitigate the
+problem using a VCL based workaround.
+
+Vmod-blob implements base64 decoding, and this functionality is not
+affected by the issues in vmod-digest. The proposed workaround is to
+change VCL configurations which use vmod-digest for base64 decoding
+into using vmod-blob instead.
+
+There are 3 affected functions in vmod-digest, each for decoding a
+different variant of base64. The functions are `digest.base64_decode`,
+`digest.base64url_decode` and `digest.base64url_nopad_decode`. Each
+invocation of these functions in the VCL needs to be changed into
+using the corresponding vmod-blob construct.
+
+Please see the following examples for how to rewrite the VCL
+configuration, where each commented out usage of vmod-digest is
+followed by the similar construct using vmod-blob::
+
+
+  import blob;
+  sub vcl_recv {
+      # set req.http.decoded = digest.base64_decode(req.http.encoded);
+      set req.http.decoded = blob.transcode(BASE64, IDENTITY, encoded=req.http.encoded);
+
+      # set req.http.decoded = digest.base64url_decode(req.http.encoded);
+      set req.http.decoded = blob.transcode(BASE64URL, IDENTITY, encoded=req.http.encoded);
+
+      # set req.http.decoded = digest.base64url_nopad_decode(req.http.encoded);
+      set req.http.decoded = blob.transcode(BASE64URLNOPAD, IDENTITY, encoded=req.http.encoded);
+  }

R1/source/security/index.rst

@@ -3,30 +3,31 @@
 Security, bugs & vulnerabilities
 ================================
 
-* Rev. 2021-03-16 *slink*
+* Rev. 2021-08-17 *phk*
 
 List of all Varnish CVEs
 ------------------------
 
-============= =============== ============================================
-Versions      CVE             What
-============= =============== ============================================
-6.x, 7.x      CVE-2022-45060_ :ref:`vsv00011`
-7.0, 7.1, 7.2 CVE-2022-45059_ :ref:`vsv00010`
-7.0, 7.1      CVE-2022-38150_ :ref:`vsv00009`
-< 7.0.2       CVE-2022-23959_ :ref:`vsv00008`
-6.0, 6.5, 6.6 CVE-2021-36740_ :ref:`vsv00007`
-(6.5)         CVE-2021-28543_ :ref:`vsv00006`
-6.0, 6.2, 6.3 CVE-2020-11653_ :ref:`vsv00005`
-6.0, 6.2, 6.3 CVE-2019-20637_ :ref:`vsv00004`
-6.0, 6.2      CVE-2019-15892_ :ref:`vsv00003`
-4.1, 5.2      CVE-2017-8807_  :ref:`vsv00002`
-4.x, 5.x      CVE-2017-12425_ :ref:`vsv00001`
-< 3.0.5       CVE-2013-4484_  DoS
-<= 3.0.3      CVE-2013-0345_  Local information leak
-2.0.6         CVE-2009-4488_  Trophy hunting
-< 2.1.0       CVE-2009-2936_  Trophy hunting
-============= =============== ============================================
+=============== =============== ====================================
+Versions        CVE             What
+=============== =============== ====================================
+vmod_digest     TBD             :ref:`vsv00012`
+6.x, 7.x        CVE-2022-45060_ :ref:`vsv00011`
+7.0, 7.1, 7.2   CVE-2022-45059_ :ref:`vsv00010`
+7.0, 7.1        CVE-2022-38150_ :ref:`vsv00009`
+< 7.0.2         CVE-2022-23959_ :ref:`vsv00008`
+6.0, 6.5, 6.6   CVE-2021-36740_ :ref:`vsv00007`
+(6.5)           CVE-2021-28543_ :ref:`vsv00006`
+6.0, 6.2, 6.3   CVE-2020-11653_ :ref:`vsv00005`
+6.0, 6.2, 6.3   CVE-2019-20637_ :ref:`vsv00004`
+6.0, 6.2        CVE-2019-15892_ :ref:`vsv00003`
+4.1, 5.2        CVE-2017-8807_  :ref:`vsv00002`
+4.x, 5.x        CVE-2017-12425_ :ref:`vsv00001`
+< 3.0.5         CVE-2013-4484_  DoS
+<= 3.0.3        CVE-2013-0345_  Local information leak
+2.0.6           CVE-2009-4488_  Trophy hunting
+< 2.1.0         CVE-2009-2936_  Trophy hunting
+=============== =============== ====================================
 
 .. _CVE-2020-11653:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653
 .. _CVE-2019-20637:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20637
@@ -48,6 +49,7 @@ Versions      CVE             What
 	:hidden:
 	:maxdepth: 1
 
+	VSV00012.rst
 	VSV00011.rst
 	VSV00010.rst
 	VSV00009.rst