Search

Open Source Varnish Cache Denial of Service Security

Published August 9, 2022.

Note: This issue applies only to the open source version of Varnish Cache, in version 7.0.x and 7.1.x. Varnish Enterprise is not affected. For more information please see the open source project’s advisory page.

A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.

Impact

The potential impact is reduced or lost availability.

Status

Affected software versions

  • Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.1.0

Resolved in

  • Varnish Cache 7.0.3 (released 2022-08-09)
  • Varnish Cache 7.1.1 (released 2022-08-09)

Not affected software versions

  • All versions of Varnish Cache 6.0 LTS series and Varnish Enterprise by Varnish Software.

References

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
News
Varnish Enterprise 6.0.12r8
Varnish Helm Chart 1.3.0
A note on how Varnish handles an HTTP/2 CONTINUATION flood
Varnish Enterprise 6.0.12r7
Varnish Controller 6.0.2
News archive