Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
H
homepage
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
homepage
Commits
f58651d8
Unverified
Commit
f58651d8
authored
Mar 10, 2021
by
Nils Goroll
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add VSV00006
parent
281fb8e4
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
144 additions
and
1 deletion
+144
-1
VSV00006.rst
R1/source/security/VSV00006.rst
+141
-0
index.rst
R1/source/security/index.rst
+3
-1
No files found.
R1/source/security/VSV00006.rst
0 → 100644
View file @
f58651d8
.. _VSV00006:
VSV00006 varnish-modules Denial of Service
==========================================
Date: 2021-03-16
An assert or NULL pointer dereference can be triggered in Varnish
Cache through the ``header.append()`` and ``header.copy()`` functions
from the separate `varnish-modules` bundle, which, depending on
specifics of the Varnish Configuration Language (VCL) file used, might
allow for remote clients to cause Varnish to assert and restart.
A restart reduces overall availability and performance due to an
increased number of cache misses, and may cause higher load on backend
servers.
Note that the ``header`` vmod is *not* shipped with Varnish Cache, but
rather only available with the separate `varnish-modules`
package. The Varnish Cache team decided to release this advisory
because `varnish-modules` is a commonly used component with Varnish
Cache installations.
There is no potential for remote code execution or data leaks related
to this vulnerability.
Mitigation is possible through VCL, or by updating to a fixed version
of `varnish-modules`.
How to check for affected VCL
-----------------------------
This issue is only relevant if an affected version of
`varnish-modules` is installed (see below) and ``header.append()``
and/or ``header.copy()`` are used in VCL. A shell command like this
can be used to check a number of vcl files (denoted here by ``vcl1
vcl2 ...``::
grep -E '\bheader\.append\b|\bheader\.copy\b' vcl1 vcl2 ...
If this command returns no results, the given VCL files are unaffected.
Versions affected
-----------------
* `varnish-modules`_ version 0.17.0
* `varnish-modules klarlack`_ version 0.17.0
Notice that these versions of `varnish-modules` require Varnish Cache
version 6.5 or later.
Notice that users are only affected if the ``header.append()`` or
``header.copy()`` functions are used.
Versions not affected
---------------------
Any version of `varnish-modules` compatible with Varnish Cache
versions 6.4 and earlier are not affected. This includes the Varnish
Cache 6.0-LTS series and all versions of Varnish Cache Plus.
Fixed in
--------
* `varnish-modules`_ and `varnish-modules klarlack`_ version 0.18.0.
Notice that this version of `varnish-modules` requires Varnish Cache
version 6.6 or later.
* `varnish-modules`_ and `varnish-modules klarlack`_ version 0.17.1.
Notice that this version of `varnish-modules` requires Varnish Cache
version 6.5 or later.
Mitigation
----------
To mitigate the problem in VCL, add the following snippet somewhere at
the top of the VCL after the ``vcl`` statement::
import vtc;
sub check_client_ws {
if (vtc.workspace_overflowed(client) || vtc.workspace_free(client) < 512) {
return(fail);
}
}
sub check_backend_ws {
if (vtc.workspace_overflowed(backend) || vtc.workspace_free(backend) < 512) {
return(fail);
}
}
Then ``call check_client_ws;`` needs to be inserted before every call to
``header.append`` and ``header.copy`` on the client side, and,
likewise, ``call check_backend_ws;`` needs to be inserted before these
calls on the backend side, as for example in::
sub vcl_deliver {
# ...
call check_client_ws;
header.append(resp.http.Set-Cookie, "foo=bar");
# ...
}
sub vcl_backend_response {
# ...
call check_backend_ws;
header.copy(beresp.http.set-cookie, beresp.http.x-old-cookie);
# ...
}
Notice that, for optimum protection, ``512`` in the code snippet can
be adjusted to a reasonable upper limit of the appended headers' size
(including the header name, colon and whitespace). ``512`` has been
chosen as a safe upper bound for a header length which will likely fit
most scenarios. If this number is chosen too high, a VCL failure might
be triggered without reason.
References
----------
`varnish-modules`_ is a bundle of VMODs commonly used together with
Varnish Cache.
`varnish-modules klarlack`_ is a bundle of VMODs maintained by UPLEX
that includes the ones from `varnish-modules`_.
Credits
-------
Nils Goroll of UPLEX analysed this issue, contributed the fix and
developed the VCL mitigation method. Geoffrey Simmons of UPLEX helped
with reviews.
We thank Martin Blix Grydeland of Varnish Software and Poul-Henning
Kamp for valuable feedback and reviews.
.. _varnish-modules: https://github.com/varnish/varnish-modules
.. _varnish-modules klarlack: https://github.com/nigoroll/varnish-modules
R1/source/security/index.rst
View file @
f58651d8
...
@@ -3,7 +3,7 @@
...
@@ -3,7 +3,7 @@
Security, bugs & vulnerabilities
Security, bugs & vulnerabilities
================================
================================
* Rev. 20
19-10-07 *ph
k*
* Rev. 20
21-03-16 *slin
k*
List of all Varnish CVEs
List of all Varnish CVEs
------------------------
------------------------
...
@@ -11,6 +11,7 @@ List of all Varnish CVEs
...
@@ -11,6 +11,7 @@ List of all Varnish CVEs
============= =============== ============================================
============= =============== ============================================
Versions CVE What
Versions CVE What
============= =============== ============================================
============= =============== ============================================
(6.5) TBD :ref:`vsv00006`
6.0, 6.2, 6.3 CVE-2020-11653_ :ref:`vsv00005`
6.0, 6.2, 6.3 CVE-2020-11653_ :ref:`vsv00005`
6.0, 6.2, 6.3 CVE-2019-20637_ :ref:`vsv00004`
6.0, 6.2, 6.3 CVE-2019-20637_ :ref:`vsv00004`
6.0, 6.2 CVE-2019-15892_ :ref:`vsv00003`
6.0, 6.2 CVE-2019-15892_ :ref:`vsv00003`
...
@@ -36,6 +37,7 @@ Versions CVE What
...
@@ -36,6 +37,7 @@ Versions CVE What
:hidden:
:hidden:
:maxdepth: 1
:maxdepth: 1
VSV00006.rst
VSV00005.rst
VSV00005.rst
VSV00004.rst
VSV00004.rst
VSV00003.rst
VSV00003.rst
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment