Bug 2271486 (CVE-2024-30156) - CVE-2024-30156 varnish: HTTP/2 Broken Window Attack may result in denial of service
Summary: CVE-2024-30156 varnish: HTTP/2 Broken Window Attack may result in denial of s...
Keywords:
Status: NEW
Alias: CVE-2024-30156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2271511 2271492 2271493 2271494 2271512
Blocks: 2271490
TreeView+ depends on / blocked
 
Reported: 2024-03-25 17:56 UTC by Marco Benatto
Modified: 2024-07-31 10:15 UTC (History)
3 users (show)

Fixed In Version: varnish 7.4.3, varnish 7.3.2, varnish 6.0.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Varnish cache server, with HTTP/2 support enabled, that may allow a Denial of Service type of attack. A malicious actor can cause the server to run out of credits during the HTTP/2 connection control flow. As a consequence, the server will stop to properly process the active HTTP streams, retaining the already allocated resources, leading to resource starvation.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1693 0 None None None 2024-04-08 09:23:42 UTC
Red Hat Product Errata RHBA-2024:1694 0 None None None 2024-04-08 11:30:56 UTC
Red Hat Product Errata RHBA-2024:1707 0 None None None 2024-04-09 07:05:53 UTC
Red Hat Product Errata RHSA-2024:1689 0 None None None 2024-04-08 08:44:23 UTC
Red Hat Product Errata RHSA-2024:1690 0 None None None 2024-04-08 09:12:51 UTC
Red Hat Product Errata RHSA-2024:1691 0 None None None 2024-04-08 09:14:50 UTC
Red Hat Product Errata RHSA-2024:2700 0 None None None 2024-05-06 06:44:43 UTC
Red Hat Product Errata RHSA-2024:2820 0 None None None 2024-05-13 01:22:33 UTC
Red Hat Product Errata RHSA-2024:2938 0 None None None 2024-05-21 05:09:23 UTC
Red Hat Product Errata RHSA-2024:3305 0 None None None 2024-05-23 06:56:52 UTC
Red Hat Product Errata RHSA-2024:3426 0 None None None 2024-05-28 14:25:33 UTC
Red Hat Product Errata RHSA-2024:4937 0 None None None 2024-07-31 10:15:10 UTC

Description Marco Benatto 2024-03-25 17:56:05 UTC
Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.

https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#security
https://varnish-cache.org/security/VSV00014.html

Comment 10 Marco Benatto 2024-03-25 19:59:37 UTC
Created varnish tracking bugs for this issue:

Affects: fedora-all [bug 2271511]

Comment 11 Marco Benatto 2024-03-25 20:00:13 UTC
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 2271512]

Comment 15 errata-xmlrpc 2024-04-08 08:44:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:1689 https://access.redhat.com/errata/RHSA-2024:1689

Comment 16 errata-xmlrpc 2024-04-08 09:12:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1690 https://access.redhat.com/errata/RHSA-2024:1690

Comment 17 errata-xmlrpc 2024-04-08 09:14:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1691 https://access.redhat.com/errata/RHSA-2024:1691

Comment 18 errata-xmlrpc 2024-05-06 06:44:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2700 https://access.redhat.com/errata/RHSA-2024:2700

Comment 19 errata-xmlrpc 2024-05-13 01:22:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2820 https://access.redhat.com/errata/RHSA-2024:2820

Comment 20 errata-xmlrpc 2024-05-21 05:09:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:2938 https://access.redhat.com/errata/RHSA-2024:2938

Comment 21 errata-xmlrpc 2024-05-23 06:56:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3305 https://access.redhat.com/errata/RHSA-2024:3305

Comment 22 errata-xmlrpc 2024-05-28 14:25:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:3426 https://access.redhat.com/errata/RHSA-2024:3426

Comment 23 errata-xmlrpc 2024-07-31 10:15:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:4937 https://access.redhat.com/errata/RHSA-2024:4937


Note You need to log in before you can comment on or make changes to this bug.