Bug 2271486 (CVE-2024-30156)

Summary: CVE-2024-30156 varnish: HTTP/2 Broken Window Attack may result in denial of service
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hhorak, jorton, luhliari
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: varnish 7.4.3, varnish 7.3.2, varnish 6.0.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Varnish cache server, with HTTP/2 support enabled, that may allow a Denial of Service type of attack. A malicious actor can cause the server to run out of credits during the HTTP/2 connection control flow. As a consequence, the server will stop to properly process the active HTTP streams, retaining the already allocated resources, leading to resource starvation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2271492, 2271493, 2271494, 2271511, 2271512    
Bug Blocks: 2271490    

Description Marco Benatto 2024-03-25 17:56:05 UTC 
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.

https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#security
https://varnish-cache.org/security/VSV00014.html
Comment 10 Marco Benatto 2024-03-25 19:59:37 UTC 
Created varnish tracking bugs for this issue:

Affects: fedora-all [bug 2271511]
Comment 11 Marco Benatto 2024-03-25 20:00:13 UTC 
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 2271512]
Comment 12 Marco Benatto 2024-03-25 20:26:47 UTC 
Upstream commits for this issue:
https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551
https://github.com/varnishcache/varnish-cache/commit/727a5f80347545b6fc7a6aa48f9fb74e90528f0c
https://github.com/varnishcache/varnish-cache/commit/42a10e90015bd8a9cb1c7c2e0e313f8b5ae9ebe9
https://github.com/varnishcache/varnish-cache/commit/eccb50837d61fcb5a6927eef94c570bd1d03c26d
https://github.com/varnishcache/varnish-cache/commit/0b82e00708b88f696af5881b7a19caf2144d13f7
https://github.com/varnishcache/varnish-cache/commit/4938f05b318eb2daa2ccc89dafeed3126552c481
https://github.com/varnishcache/varnish-cache/commit/41ef373af53571a94ea8f73f0538322270799a84
Comment 15 errata-xmlrpc 2024-04-08 08:44:23 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:1689 https://access.redhat.com/errata/RHSA-2024:1689
Comment 16 errata-xmlrpc 2024-04-08 09:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1690 https://access.redhat.com/errata/RHSA-2024:1690
Comment 17 errata-xmlrpc 2024-04-08 09:14:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1691 https://access.redhat.com/errata/RHSA-2024:1691
Comment 18 errata-xmlrpc 2024-05-06 06:44:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2700 https://access.redhat.com/errata/RHSA-2024:2700
Comment 19 errata-xmlrpc 2024-05-13 01:22:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2820 https://access.redhat.com/errata/RHSA-2024:2820
Comment 20 errata-xmlrpc 2024-05-21 05:09:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:2938 https://access.redhat.com/errata/RHSA-2024:2938
Comment 21 errata-xmlrpc 2024-05-23 06:56:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3305 https://access.redhat.com/errata/RHSA-2024:3305
Comment 22 errata-xmlrpc 2024-05-28 14:25:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:3426 https://access.redhat.com/errata/RHSA-2024:3426
Comment 23 errata-xmlrpc 2024-07-31 10:15:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:4937 https://access.redhat.com/errata/RHSA-2024:4937