Bug 1756079 (CVE-2019-15892)

Summary: CVE-2019-15892 varnish: denial of service handling certain crafted HTTP/1 requests
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, huzaifas, ingvar, jorton, luhliari, psampaio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: varnish 6.0.4, varnish 6.2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Varnish parsed certain HTTP/1 requests. A remote attacker could use this flaw to crash Varnish by sending specially crafted multiple HTTP/1 requests processed on the same HTTP/1 keep-alive connection. This causes Varnish to restart with a clean cache, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:21:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1756081, 1756208, 1763958    
Bug Blocks: 1756091    

Description Guilherme de Almeida Suckevicz 2019-09-26 17:33:26 UTC 
An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.

https://seclists.org/bugtraq/2019/Sep/5
https://varnish-cache.org/security/VSV00003.html
Comment 1 Guilherme de Almeida Suckevicz 2019-09-26 17:48:52 UTC 
Created varnish tracking bugs for this issue:

Affects: fedora-all [bug 1756081]
Comment 5 Huzaifa S. Sidhpurwala 2019-09-27 05:17:15 UTC 
External References:

https://varnish-cache.org/security/VSV00003.html
Comment 6 Huzaifa S. Sidhpurwala 2019-09-27 05:17:17 UTC 
Mitigation:

This flaw can be mitigated by using making changes in varnish configuration by using VCL (Varnish Configuration Language). More details available at: https://varnish-cache.org/security/VSV00003-mitigation.html#vsv00003-mitigation
Comment 7 Huzaifa S. Sidhpurwala 2019-09-27 05:22:23 UTC 
Upstream patch: https://github.com/varnishcache/varnish-cache/commit/406b583fe54634afd029e7a41e35b3cf9ccac28a
Comment 10 Huzaifa S. Sidhpurwala 2019-09-27 05:30:52 UTC 
Statement:

This is a remote denial of service flaw in varnish cache application. It causes varnish to restart, with a clean cache, since the purpose of varnish is to cache web pages thereby improving overall web server performance, an attacker can cause web performance to degrade due to this attack.
Comment 11 Ingvar Hagelund 2019-09-27 08:38:09 UTC 
This CVE was patched 10 days ago in rawhide, and a week ago in f29. I had forgotten to push updates for f30 and f31, sorry about that.

f29: FEDORA-2019-8a85a90af6 varnish-6.0.4-3.fc29, in testing, waiting for stable
f30: FEDORA-2019-feec5e0afd varnish-6.3.0-1.fc30, waiting for testing, please provide karma
f31: FEDORA-2019-a0a0cdef92 varnish-6.3.0-1.fc31, waiting for testing, please provide karma
f32: FEDORA-2019-5c224d8c93 varnish-6.3.0-1.fc31, stable 10 days ago

Ingvar
Comment 16 Huzaifa S. Sidhpurwala 2019-10-22 04:55:14 UTC 
Ingvar,

This is a CVE flaw, please do not move this to ON_QA, you can do that with fedora tracker at:
https://bugzilla.redhat.com/show_bug.cgi?id=1756081
Comment 17 Product Security DevOps Team 2020-11-04 02:21:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15892
Comment 18 errata-xmlrpc 2020-11-04 03:37:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4756 https://access.redhat.com/errata/RHSA-2020:4756