Bug 1939669 (CVE-2021-28543) - CVE-2021-28543 varnish-modules: NULL pointer dereference in Varnish Cache via header.append() and header.copy() functions
Summary: CVE-2021-28543 varnish-modules: NULL pointer dereference in Varnish Cache via...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-28543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939671 1939672
Blocks: 1939675
TreeView+ depends on / blocked
 
Reported: 2021-03-16 19:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-03-31 11:35 UTC (History)
5 users (show)

Fixed In Version: varnish-modules 0.18.0
Clone Of:
Environment:
Last Closed: 2021-03-31 11:35:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-16 19:25:43 UTC 
Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cache product; however, it is common to install both Varnish Cache and varnish-modules. Specifically, an assertion failure or NULL pointer dereference can be triggered in Varnish Cache through the varnish-modules header.append() and header.copy() functions. For some Varnish Configuration Language (VCL) files, this gives remote clients an opportunity to cause a Varnish Cache restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers.

Reference:
https://varnish-cache.org/security/VSV00006.html
Comment 1 Guilherme de Almeida Suckevicz 2021-03-16 19:26:08 UTC 
Created varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 1939671]


Created varnish:6.0/varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 1939672]
Comment 2 Ingvar Hagelund 2021-03-17 16:18:28 UTC 
rawhide/f35 has been updated with varnish-modules-0.17.1 which includes a fix for this problem.
Comment 3 Ingvar Hagelund 2021-03-17 16:35:23 UTC 
FEDORA-2021-2ad352ec70 security update for f34 has varnish-modules-0.17.1 which includes a fix for this problem. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2ad352ec70
Comment 4 Tomas Hoger 2021-03-18 14:16:01 UTC 
This is not a Fedora bug, please do not change its state.
Comment 5 Fedora Update System 2021-03-22 02:08:13 UTC 
FEDORA-2021-2ad352ec70 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Mauro Matteo Cascella 2021-03-31 08:04:08 UTC 
External References:

https://varnish-cache.org/security/VSV00006.html
Comment 7 Mauro Matteo Cascella 2021-03-31 08:29:40 UTC 
Upstream fix:
https://github.com/varnish/varnish-modules/commit/2c120e576ebb73bc247790184702ba58dc0afc39
Comment 8 Mauro Matteo Cascella 2021-03-31 08:32:34 UTC 
Mitigation:

Refer to https://varnish-cache.org/security/VSV00006.html#mitigation.
Comment 10 Mauro Matteo Cascella 2021-03-31 09:12:37 UTC 
Statement:

The following products are not affected by this flaw, as they ship an older version of the `varnish-modules` package which did not include the vulnerable code in the `header` vmod:
* Red Hat Enterprise Linux 8
* Red Hat Software Collections
Comment 11 Product Security DevOps Team 2021-03-31 11:35:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28543
Note You need to log in before you can comment on or make changes to this bug.