Headline
CVE-2022-38150: VSV00009 Varnish Denial of Service Vulnerability — Varnish HTTP Cache
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
Date: 2022-08-09
A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.
Versions affected¶
- Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.1.0
Versions not affected¶
Varnish Cache 7.0.3 (released 2022-08-09)
Varnish Cache 7.1.1 (released 2022-08-09)
All versions of Varnish Cache 6.0 LTS series and Varnish Cache Plus by Varnish Software.
GitHub Varnish Cache master branch at commit c5fd097e5cce8b461c6443af02b3448baef2491d
Mitigation¶
If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the vcl_backend_response VCL function:
sub vcl_backend_response { set beresp.status = beresp.status; }
By setting the status code to itself as described above, the reason field will automatically be reset to the standard value for the given status code, or “Unknown HTTP Status” if no standard value exists for that code. This would overwrite any existing attack content in the reason field.
Credits¶
This problem was first identified and reproduced by Anthony Schwartz. The original test case and maintainer notification was made by Guillaume Quintard.