Bug 2117692 (CVE-2022-38150) - CVE-2022-38150 varnish: denial of service via colon-starting reason phrase
Summary: CVE-2022-38150 varnish: denial of service via colon-starting reason phrase
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-38150
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2118570 2118571 2118572 2118573 2118574
Blocks: 2116814
TreeView+ depends on / blocked
 
Reported: 2022-08-11 15:58 UTC by Mauro Matteo Cascella
Modified: 2022-09-01 23:55 UTC (History)
6 users (show)

Fixed In Version: varnish 7.0.3, varnish 7.1.1
Doc Type: ---
Doc Text:
A flaw was found in Varnish where a denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. To execute an attack, the attacker needs the ability to influence the HTTP/1 responses that the Varnish Server receives from its configured backends, causing the Varnish Server to assert and automatically restart.
Clone Of:
Environment:
Last Closed: 2022-09-01 23:55:55 UTC


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2022-08-11 15:58:24 UTC
A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.

Security advisory:
https://varnish-cache.org/security/VSV00009.html

Upstream issue & fix:
https://github.com/varnishcache/varnish-cache/issues/3830
https://github.com/varnishcache/varnish-cache/commit/c5fd097e5cce8b461c6443af02b3448baef2491d

Comment 1 Sandipan Roy 2022-08-16 07:37:01 UTC
Created varnish tracking bugs for this issue:

Affects: epel-all [bug 2118571]
Affects: fedora-all [bug 2118570]


Created varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 2118572]


Created varnish:6.0/varnish tracking bugs for this issue:

Affects: fedora-all [bug 2118573]


Created varnish:6.0/varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 2118574]

Comment 2 Fedora Update System 2022-08-22 01:10:30 UTC
FEDORA-2022-1fa6d1ed2f has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Product Security DevOps Team 2022-09-01 23:55:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-38150


Note You need to log in before you can comment on or make changes to this bug.