Bug 1939669 (CVE-2021-28543) - CVE-2021-28543 varnish-modules: NULL pointer dereference in Varnish Cache via header.append() and header.copy() functions
Summary: CVE-2021-28543 varnish-modules: NULL pointer dereference in Varnish Cache via...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-28543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1939671 1939672
Blocks: 1939675
TreeView+ depends on / blocked
 
Reported: 2021-03-16 19:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-03-31 11:35 UTC (History)
5 users (show)

Fixed In Version: varnish-modules 0.18.0
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference issue was found in Varnish Cache through the 'header' module from the separate varnish-modules package. This flaw might allow for remote clients to cause Varnish to assert and restart, reducing overall availability and performance due to an increased number of cache misses, and may cause higher load on back-end servers. There is no potential for remote code execution or data leaks related to this vulnerability.
Clone Of:
Environment:
Last Closed: 2021-03-31 11:35:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-16 19:25:43 UTC 
Varnish varnish-modules before 0.17.1 allows remote attackers to cause a denial of service (daemon restart) in some configurations. This does not affect organizations that only install the Varnish Cache product; however, it is common to install both Varnish Cache and varnish-modules. Specifically, an assertion failure or NULL pointer dereference can be triggered in Varnish Cache through the varnish-modules header.append() and header.copy() functions. For some Varnish Configuration Language (VCL) files, this gives remote clients an opportunity to cause a Varnish Cache restart. A restart reduces overall availability and performance due to an increased number of cache misses, and may cause higher load on backend servers.

Reference:
https://varnish-cache.org/security/VSV00006.html
Comment 1 Guilherme de Almeida Suckevicz 2021-03-16 19:26:08 UTC 
Created varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 1939671]


Created varnish:6.0/varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 1939672]
Comment 2 Ingvar Hagelund 2021-03-17 16:18:28 UTC 
rawhide/f35 has been updated with varnish-modules-0.17.1 which includes a fix for this problem.
Comment 3 Ingvar Hagelund 2021-03-17 16:35:23 UTC 
FEDORA-2021-2ad352ec70 security update for f34 has varnish-modules-0.17.1 which includes a fix for this problem. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2ad352ec70
Comment 4 Tomas Hoger 2021-03-18 14:16:01 UTC 
This is not a Fedora bug, please do not change its state.
Comment 5 Fedora Update System 2021-03-22 02:08:13 UTC 
FEDORA-2021-2ad352ec70 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Mauro Matteo Cascella 2021-03-31 08:04:08 UTC 
External References:

https://varnish-cache.org/security/VSV00006.html
Comment 7 Mauro Matteo Cascella 2021-03-31 08:29:40 UTC 
Upstream fix:
https://github.com/varnish/varnish-modules/commit/2c120e576ebb73bc247790184702ba58dc0afc39
Comment 8 Mauro Matteo Cascella 2021-03-31 08:32:34 UTC 
Mitigation:

Refer to https://varnish-cache.org/security/VSV00006.html#mitigation.
Comment 10 Mauro Matteo Cascella 2021-03-31 09:12:37 UTC 
Statement:

The following products are not affected by this flaw, as they ship an older version of the `varnish-modules` package which did not include the vulnerable code in the `header` vmod:
* Red Hat Enterprise Linux 8
* Red Hat Software Collections
Comment 11 Product Security DevOps Team 2021-03-31 11:35:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28543
Note You need to log in before you can comment on or make changes to this bug.