An assert can be triggered in Varnish Cache and Varnish Cache Plus by a remote client sending a specially crafted HTTP request. Varnish will panic and restart when the assert is triggered, which constitutes a denial of service attack.
The potential impact is reduced or completely lost availability.
The cache will be empty after the restart unless Massive Storage Engine is used in persistence mode. An empty cache after restart will reduce overall performance due to an increased number of cache misses, and may cause higher load on the backend servers.
There is no potential for remote code execution or data leaks related to this vulnerability.
Affected software versions
- Varnish Cache Plus 4.0.2r0, 4.0.3r1, 4.0.3r2, 4.0.3r3, 4.0.3r4, 4.0.3r5, 4.0.3r6 and 4.0.4r1.
- Varnish Cache Plus 4.1.2r1, 4.1.3r1, 4.1.4r1, 4.1.4r2, 4.1.4r3, 4.1.4r4, 4.1.4r5, 4.1.5r1, 4.1.5r2, 4.1.6r1, 4.1.6r2, 4.1.7r1 and 4.1.7r2.
- Varnish Cache 4.0.1, 4.0.2, 4.0.3 and 4.0.4.
- Varnish Cache 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6 and 4.1.7.
- Varnish Cache 5.0.0, 5.1.0, 5.1.1 and 5.1.2.
- Varnish Cache Plus 4.0.4r2.
- Varnish Cache Plus 4.1.7r3.
- Varnish Cache 4.0.5.
- Varnish Cache 4.1.8.
- Varnish Cache 5.1.3.
The solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted.
All Drupion servers have been upgraded to secure Varnish-4.0.5 revision 07eff4c29 unless the Varnish repository was specifically disabled by a customer request. You can check if that is not the case with your Drupion server by logging into your server via SSH and running the
varnishd -V command. You should see:
varnishd (varnish-4.0.5 revision 07eff4c29)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2014 Varnish Software AS
For additional information please read: https://docs.varnish-software.com/security/VSV00001/#overview