Bug 2271486 (CVE-2024-30156) - CVE-2024-30156 varnish: HTTP/2 Broken Window Attack may result in denial of service
Summary: CVE-2024-30156 varnish: HTTP/2 Broken Window Attack may result in denial of s...
Keywords:
Status: NEW
Alias: CVE-2024-30156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2271511 2271512 2271492 2271493 2271494
Blocks: 2271490
TreeView+ depends on / blocked
 
Reported: 2024-03-25 17:56 UTC by Marco Benatto
Modified: 2024-04-11 04:32 UTC (History)
3 users (show)

Fixed In Version: varnish 7.4.3, varnish 7.3.2, varnish 6.0.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Varnish cache server, with HTTP/2 support enabled, that may allow a Denial of Service type of attack. A malicious actor can cause the server to run out of credits during the HTTP/2 connection control flow. As a consequence, the server will stop to properly process the active HTTP streams, retaining the already allocated resources, leading to resource starvation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1693 0 None None None 2024-04-08 09:23:42 UTC
Red Hat Product Errata RHBA-2024:1694 0 None None None 2024-04-08 11:30:56 UTC
Red Hat Product Errata RHBA-2024:1707 0 None None None 2024-04-09 07:05:53 UTC
Red Hat Product Errata RHSA-2024:1689 0 None None None 2024-04-08 08:44:23 UTC
Red Hat Product Errata RHSA-2024:1690 0 None None None 2024-04-08 09:12:51 UTC
Red Hat Product Errata RHSA-2024:1691 0 None None None 2024-04-08 09:14:50 UTC

Description Marco Benatto 2024-03-25 17:56:05 UTC 
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.

https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#security
https://varnish-cache.org/security/VSV00014.html
Comment 10 Marco Benatto 2024-03-25 19:59:37 UTC 
Created varnish tracking bugs for this issue:

Affects: fedora-all [bug 2271511]
Comment 11 Marco Benatto 2024-03-25 20:00:13 UTC 
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 2271512]
Comment 12 Marco Benatto 2024-03-25 20:26:47 UTC 
Upstream commits for this issue:
https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551
https://github.com/varnishcache/varnish-cache/commit/727a5f80347545b6fc7a6aa48f9fb74e90528f0c
https://github.com/varnishcache/varnish-cache/commit/42a10e90015bd8a9cb1c7c2e0e313f8b5ae9ebe9
https://github.com/varnishcache/varnish-cache/commit/eccb50837d61fcb5a6927eef94c570bd1d03c26d
https://github.com/varnishcache/varnish-cache/commit/0b82e00708b88f696af5881b7a19caf2144d13f7
https://github.com/varnishcache/varnish-cache/commit/4938f05b318eb2daa2ccc89dafeed3126552c481
https://github.com/varnishcache/varnish-cache/commit/41ef373af53571a94ea8f73f0538322270799a84
Comment 15 errata-xmlrpc 2024-04-08 08:44:23 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:1689 https://access.redhat.com/errata/RHSA-2024:1689
Comment 16 errata-xmlrpc 2024-04-08 09:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1690 https://access.redhat.com/errata/RHSA-2024:1690
Comment 17 errata-xmlrpc 2024-04-08 09:14:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1691 https://access.redhat.com/errata/RHSA-2024:1691
Note You need to log in before you can comment on or make changes to this bug.