1756079 – (CVE-2019-15892) CVE-2019-15892 varnish: denial of service handling certain crafted HTTP/1 requests

Bug 1756079 (CVE-2019-15892) - CVE-2019-15892 varnish: denial of service handling certain crafted HTTP/1 requests

Summary: CVE-2019-15892 varnish: denial of service handling certain crafted HTTP/1 req...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-15892
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1756081 1756208 1763958
Blocks:	1756091
TreeView+	depends on / blocked

Reported:	2019-09-26 17:33 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 21:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	varnish 6.0.4, varnish 6.2.1
Clone Of:
Environment:
Last Closed:	2020-11-04 02:21:38 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4756	0	None	None	None	2020-11-04 03:37:10 UTC

Description Guilherme de Almeida Suckevicz 2019-09-26 17:33:26 UTC

An issue was discovered in Varnish Cache before 6.0.4 LTS, and 6.1.x and 6.2.x before 6.2.1. An HTTP/1 parsing failure allows a remote attacker to trigger an assert by sending crafted HTTP/1 requests. The assert will cause an automatic restart with a clean cache, which makes it a Denial of Service attack.

https://seclists.org/bugtraq/2019/Sep/5
https://varnish-cache.org/security/VSV00003.html

Comment 1 Guilherme de Almeida Suckevicz 2019-09-26 17:48:52 UTC

Created varnish tracking bugs for this issue:

Affects: fedora-all [bug 1756081]

Comment 5 Huzaifa S. Sidhpurwala 2019-09-27 05:17:15 UTC

External References:

https://varnish-cache.org/security/VSV00003.html

Comment 6 Huzaifa S. Sidhpurwala 2019-09-27 05:17:17 UTC

Mitigation:

This flaw can be mitigated by using making changes in varnish configuration by using VCL (Varnish Configuration Language). More details available at: https://varnish-cache.org/security/VSV00003-mitigation.html#vsv00003-mitigation

Comment 7 Huzaifa S. Sidhpurwala 2019-09-27 05:22:23 UTC

Upstream patch: https://github.com/varnishcache/varnish-cache/commit/406b583fe54634afd029e7a41e35b3cf9ccac28a

Comment 10 Huzaifa S. Sidhpurwala 2019-09-27 05:30:52 UTC

Statement:

This is a remote denial of service flaw in varnish cache application. It causes varnish to restart, with a clean cache, since the purpose of varnish is to cache web pages thereby improving overall web server performance, an attacker can cause web performance to degrade due to this attack.

Comment 11 Ingvar Hagelund 2019-09-27 08:38:09 UTC

This CVE was patched 10 days ago in rawhide, and a week ago in f29. I had forgotten to push updates for f30 and f31, sorry about that.

f29: FEDORA-2019-8a85a90af6 varnish-6.0.4-3.fc29, in testing, waiting for stable
f30: FEDORA-2019-feec5e0afd varnish-6.3.0-1.fc30, waiting for testing, please provide karma
f31: FEDORA-2019-a0a0cdef92 varnish-6.3.0-1.fc31, waiting for testing, please provide karma
f32: FEDORA-2019-5c224d8c93 varnish-6.3.0-1.fc31, stable 10 days ago

Ingvar

Comment 16 Huzaifa S. Sidhpurwala 2019-10-22 04:55:14 UTC

Ingvar,

This is a CVE flaw, please do not move this to ON_QA, you can do that with fedora tracker at:
https://bugzilla.redhat.com/show_bug.cgi?id=1756081

Comment 17 Product Security DevOps Team 2020-11-04 02:21:38 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15892

Comment 18 errata-xmlrpc 2020-11-04 03:37:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4756 https://access.redhat.com/errata/RHSA-2020:4756

Note You need to log in before you can comment on or make changes to this bug.