#VU20865 Integer overflow in Varnish Cache - CVE-2017-12425

Cybersecurity Help s.r.o.

Published: 2019-09-04

Vulnerability identifier: #VU20865

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-12425

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Varnish Cache
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Varnish Software

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to integer overflow when processing HTTP requests. A remote attacker can send a specially crafted HTTP request, trigger integer overflow and restart the caching server.

Successful exploitation of this vulnerability may allow an attacker to perform denial if service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Varnish Cache: 4.0.0 - 4.0.4, 4.1.0 - 4.1.7, 5.0.0, 5.1.0 - 5.1.2

External links
https://varnish-cache.org/security/VSV00001.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for varnish

Integer overflow in varnish (Alpine package)

Integer overflow in Varnish Cache

Fedora 26 update for varnish

Fedora 25 update for varnish

Fedora 24 update for varnish

Fedora EPEL 7 update for varnish