The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Varnish-Cache

vulnerability bulletin CVE-2016-1000104 CVE-2016-1000105 CVE-2016-1000107

Web servers: creating client queries via the Proxy header

Synthesis of the vulnerability

An attacker can send a query with a malicious Proxy header to a web service hosting a CGI script creating web client queries, so they go through attacker's proxy.
Impacted products: Apache httpd, Tomcat, Mac OS X, Debian, Drupal Core, VNX Operating Environment, VNX Series, eZ Publish, Fedora, HP-UX, QRadar SIEM, Junos Space, NSM Central Manager, NSMXpress, lighttpd, IIS, nginx, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Perl Module ~ not comprehensive, PHP, Python, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, TrendMicro ServerProtect, TYPO3 Core, Ubuntu, Varnish.
Severity: 3/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 12.
Creation date: 18/07/2016.
Identifiers: 1117414, 1994719, 1994725, 1999671, APPLE-SA-2017-09-25-1, bulletinjul2017, bulletinoct2016, c05324759, CERTFR-2016-AVI-240, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, cpujan2018, CVE-2016-1000104, CVE-2016-1000105, CVE-2016-1000107, CVE-2016-1000108, CVE-2016-1000109, CVE-2016-1000110, CVE-2016-1000111, CVE-2016-1000212, CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, DLA-1883-1, DLA-553-1, DLA-568-1, DLA-583-1, DLA-749-1, DRUPAL-SA-CORE-2016-003, DSA-2019-131, DSA-3623-1, DSA-3631-1, DSA-3642-1, EZSA-2016-001, FEDORA-2016-07e9059072, FEDORA-2016-2c324d0670, FEDORA-2016-340e361b90, FEDORA-2016-4094bd4ad6, FEDORA-2016-4e7db3d437, FEDORA-2016-604616dc33, FEDORA-2016-683d0b257b, FEDORA-2016-970edb82d4, FEDORA-2016-9c8cf5912c, FEDORA-2016-9de7253cc7, FEDORA-2016-9fd814a7f2, FEDORA-2016-9fd9bfab9e, FEDORA-2016-a29c65b00f, FEDORA-2016-aef8a45afe, FEDORA-2016-c1b01b9278, FEDORA-2016-df0726ae26, FEDORA-2016-e2c8f5f95a, FEDORA-2016-ea5e284d34, HPSBUX03665, HT207615, HT208144, HT208221, httpoxy, JSA10770, JSA10774, openSUSE-SU-2016:1824-1, openSUSE-SU-2016:2054-1, openSUSE-SU-2016:2055-1, openSUSE-SU-2016:2115-1, openSUSE-SU-2016:2120-1, openSUSE-SU-2016:2252-1, openSUSE-SU-2016:2536-1, openSUSE-SU-2016:3092-1, openSUSE-SU-2016:3157-1, openSUSE-SU-2017:0223-1, RHSA-2016:1420-01, RHSA-2016:1421-01, RHSA-2016:1422-01, RHSA-2016:1538-01, RHSA-2016:1609-01, RHSA-2016:1610-01, RHSA-2016:1611-01, RHSA-2016:1612-01, RHSA-2016:1613-01, RHSA-2016:1624-01, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, RHSA-2016:1635-01, RHSA-2016:1636-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:1978-01, RHSA-2016:2045-01, RHSA-2016:2046-01, SSA:2016-203-02, SSA:2016-358-01, SSA:2016-363-01, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, SUSE-SU-2019:0223-1, USN-3038-1, USN-3045-1, USN-3134-1, USN-3177-1, USN-3177-2, USN-3585-1, VIGILANCE-VUL-20143, VU#797896.

Description of the vulnerability

Most web servers support CGI scripts (PHP, Python, etc.).

According to the RFC 3875, when a web server receives a Proxy header, it has to create the HTTP_PROXY environment variable for CGI scripts.

However, this variable is also used to store the name of the proxy that web clients has to use. The PHP (via Guzzle, Artax, etc.) and Python scripts will thus use the proxy indicated in the web query for all client queries they will send during the CGI session.

An attacker can therefore send a query with a malicious Proxy header to a web service hosting a CGI script creating web client queries, so they go through attacker's proxy.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-8852

Varnish: cache poisoning via CR

Synthesis of the vulnerability

An attacker can use special HTTP headers with Varnish, in order to read or alter cache data.
Impacted products: Debian, openSUSE, Varnish.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 23/03/2015.
Identifiers: CVE-2015-8852, DSA-3553-1, openSUSE-SU-2016:1316-1, VIGILANCE-VUL-16444.

Description of the vulnerability

The HTTP protocol specifies that headers are separated by the "\r\n" (CR Carriage Return - LF Line Feed) sequence.

However, Varnish accepts headers separated only by the CR character. If the HTTP processing chain does not use the same rules, some HTTP queries/replies may be interpreted in a different way, which may lead to a cache corruption, and to the delivery of data belonging to another session.

An attacker can therefore use special HTTP headers with Varnish, in order to read or alter cache data.
Full Vigil@nce bulletin... (Free trial)

vulnerability 16340

Varnish: buffer overflow of Content-Length

Synthesis of the vulnerability

An attacker, who is located behind Varnish, can generate a buffer overflow via a Content-Length on Varnish, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Fedora, Varnish.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: intranet server.
Creation date: 09/03/2015.
Identifiers: FEDORA-2015-4079, VIGILANCE-VUL-16340.

Description of the vulnerability

The Varnish product is positioned as a cache in front of a web server.

The HTTP Content-Length header indicates the size of the body data.

However, if this header is malformed, and if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker, who is located behind Varnish, can therefore generate a buffer overflow via a Content-Length on Varnish, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 14985

Varnish: denial of service via Vary

Synthesis of the vulnerability

An attacker, who is located behind Varnish, can send a malicious Vary header to Varnish, in order to trigger a denial of service.
Impacted products: Varnish.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet server.
Creation date: 03/07/2014.
Identifiers: VIGILANCE-VUL-14985.

Description of the vulnerability

The Varnish product is positioned as a cache in front of a web server.

The HTTP Vary header indicates the list of headers to use in order to decide how to cache a page.

However, if the web server indicates to Varnish a long Vary header, an assertion error occurs in the http_GetHdr() function of the cache/cache_http.c file.

An attacker, who is located behind Varnish, can therefore send a malicious Vary header to Varnish, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-4484

Varnish: denial of service via spaces

Synthesis of the vulnerability

An attacker can send a malformed GET query to Varnish, in order to trigger a denial of service.
Impacted products: Debian, Fedora, openSUSE, Varnish.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 30/10/2013.
Identifiers: 1367, BID-63451, CVE-2013-4484, DSA-2814-1, FEDORA-2013-24018, FEDORA-2013-24023, MDVSA-2014:036, openSUSE-SU-2013:1679-1, openSUSE-SU-2013:1683-1, VIGILANCE-VUL-13675.

Description of the vulnerability

The Varnish error manager can indicate to restart VCL (vcl_recv) when an error occurs :
  sub vcl_error {
    return(restart);
  }

An HTTP GET query should use the syntax "GET /page HTTP/1.1". However, if the HTTP GET query only contains spaces, an assertion occurs during the error processing.

An attacker can therefore send a malformed GET query to Varnish, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2013-4090

Varnish HTTP Cache: weak access control

Synthesis of the vulnerability

An attacker can access to Varnish HTTP Cache, even if the server configuration states that his IP address should be blocked.
Impacted products: Varnish.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 11/06/2013.
Identifiers: CVE-2013-4090, VIGILANCE-VUL-12938.

Description of the vulnerability

Varnish is an HTTP cache.

It allows the administrator to specify access control lists to accept or reject requests according to their IP source address. However, when access lists are used to block addresses and when addresses to be blocked are specified with a subnet mask that does not match a byte boundary, the function vcc_acl_emit() defined in the file lib/libvcl/vcc_acl.c computes an address set smaller than wanted.

An attacker can therefore access to Varnish HTTP Cache, even if the server configuration states that his IP address should be blocked.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Varnish-Cache: