Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
H
homepage
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
homepage
Commits
8af34f84
Commit
8af34f84
authored
Aug 17, 2023
by
Poul-Henning Kamp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
VSV00012
parent
985aa27e
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
102 additions
and
21 deletions
+102
-21
conf.py
R1/source/conf.py
+1
-1
VSV00012.rst
R1/source/security/VSV00012.rst
+79
-0
index.rst
R1/source/security/index.rst
+22
-20
No files found.
R1/source/conf.py
View file @
8af34f84
...
...
@@ -47,7 +47,7 @@ master_doc = 'index'
# General information about the project.
project
=
u'Varnish Cache Project'
copyright
=
u'2016
,2017
, Poul-Henning Kamp'
copyright
=
u'2016
-2023
, Poul-Henning Kamp'
author
=
u'Poul-Henning Kamp'
# The version info for the project you're documenting, acts as replacement for
...
...
R1/source/security/VSV00012.rst
0 → 100644
View file @
8af34f84
.. _VSV00012:
VSV00012 Base64 decoding vulnerability in vmod-digest
=====================================================
Date: 2023-08-17
A base64 decoding vulnerability has been discovered in vmod-digest.
The potential outcome of the vulnerability can be both authentication
bypass and information disclosure, however the exact attack surface
will depend on the particular VCL configuration in use.
Common usage of vmod-digest is for basic HTTP authentication, in which
case it may be possible for an attacker to circumvent the
authentication check. If the decoded result string is somehow being
made visible to the attacker (for example the result of the decoding
is added to a response header), then there is the potential for
information disclosure from reading out of band workspace data.
Mitigation is possible from VCL by using vmod-blob instead of
vmod-digest for base64 decoding, or by updating to a fixed version of
vmod-digest.
Vmod-digest is a 3rd party VMOD, maintained and distributed
by Varnish Software, but since it was one of the first VMODs
and has seen very wide deployment, we consider this vulnerability
important enough to issue a VSV, even though no code maintained
by the Varnish Cache Project is involved.
Varnish Software's description of this vulnerability can be
found at: https://docs.varnish-software.com/security/VSV00012/
Versions affected
-----------------
* libvmod-digest built on source code prior to 2023-08-17.
Versions not affected
---------------------
* libvmod-digest version 1.0.3 (released 2023-08-17)
Users of the Varnish Enterprise product from Varnish Software: See the
email you received from V-S.
Mitigation from VCL
-------------------
If upgrading vmod-digest is not possible, it is possible to mitigate the
problem using a VCL based workaround.
Vmod-blob implements base64 decoding, and this functionality is not
affected by the issues in vmod-digest. The proposed workaround is to
change VCL configurations which use vmod-digest for base64 decoding
into using vmod-blob instead.
There are 3 affected functions in vmod-digest, each for decoding a
different variant of base64. The functions are `digest.base64_decode`,
`digest.base64url_decode` and `digest.base64url_nopad_decode`. Each
invocation of these functions in the VCL needs to be changed into
using the corresponding vmod-blob construct.
Please see the following examples for how to rewrite the VCL
configuration, where each commented out usage of vmod-digest is
followed by the similar construct using vmod-blob::
import blob;
sub vcl_recv {
# set req.http.decoded = digest.base64_decode(req.http.encoded);
set req.http.decoded = blob.transcode(BASE64, IDENTITY, encoded=req.http.encoded);
# set req.http.decoded = digest.base64url_decode(req.http.encoded);
set req.http.decoded = blob.transcode(BASE64URL, IDENTITY, encoded=req.http.encoded);
# set req.http.decoded = digest.base64url_nopad_decode(req.http.encoded);
set req.http.decoded = blob.transcode(BASE64URLNOPAD, IDENTITY, encoded=req.http.encoded);
}
R1/source/security/index.rst
View file @
8af34f84
...
...
@@ -3,30 +3,31 @@
Security, bugs & vulnerabilities
================================
* Rev. 2021-0
3-16 *slin
k*
* Rev. 2021-0
8-17 *ph
k*
List of all Varnish CVEs
------------------------
============= =============== ============================================
Versions CVE What
============= =============== ============================================
6.x, 7.x CVE-2022-45060_ :ref:`vsv00011`
7.0, 7.1, 7.2 CVE-2022-45059_ :ref:`vsv00010`
7.0, 7.1 CVE-2022-38150_ :ref:`vsv00009`
< 7.0.2 CVE-2022-23959_ :ref:`vsv00008`
6.0, 6.5, 6.6 CVE-2021-36740_ :ref:`vsv00007`
(6.5) CVE-2021-28543_ :ref:`vsv00006`
6.0, 6.2, 6.3 CVE-2020-11653_ :ref:`vsv00005`
6.0, 6.2, 6.3 CVE-2019-20637_ :ref:`vsv00004`
6.0, 6.2 CVE-2019-15892_ :ref:`vsv00003`
4.1, 5.2 CVE-2017-8807_ :ref:`vsv00002`
4.x, 5.x CVE-2017-12425_ :ref:`vsv00001`
< 3.0.5 CVE-2013-4484_ DoS
<= 3.0.3 CVE-2013-0345_ Local information leak
2.0.6 CVE-2009-4488_ Trophy hunting
< 2.1.0 CVE-2009-2936_ Trophy hunting
============= =============== ============================================
=============== =============== ====================================
Versions CVE What
=============== =============== ====================================
vmod_digest TBD :ref:`vsv00012`
6.x, 7.x CVE-2022-45060_ :ref:`vsv00011`
7.0, 7.1, 7.2 CVE-2022-45059_ :ref:`vsv00010`
7.0, 7.1 CVE-2022-38150_ :ref:`vsv00009`
< 7.0.2 CVE-2022-23959_ :ref:`vsv00008`
6.0, 6.5, 6.6 CVE-2021-36740_ :ref:`vsv00007`
(6.5) CVE-2021-28543_ :ref:`vsv00006`
6.0, 6.2, 6.3 CVE-2020-11653_ :ref:`vsv00005`
6.0, 6.2, 6.3 CVE-2019-20637_ :ref:`vsv00004`
6.0, 6.2 CVE-2019-15892_ :ref:`vsv00003`
4.1, 5.2 CVE-2017-8807_ :ref:`vsv00002`
4.x, 5.x CVE-2017-12425_ :ref:`vsv00001`
< 3.0.5 CVE-2013-4484_ DoS
<= 3.0.3 CVE-2013-0345_ Local information leak
2.0.6 CVE-2009-4488_ Trophy hunting
< 2.1.0 CVE-2009-2936_ Trophy hunting
=============== =============== ====================================
.. _CVE-2020-11653: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11653
.. _CVE-2019-20637: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20637
...
...
@@ -48,6 +49,7 @@ Versions CVE What
:hidden:
:maxdepth: 1
VSV00012.rst
VSV00011.rst
VSV00010.rst
VSV00009.rst
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment