Reachable Assertion in Varnish Cache

#VU66219 Reachable Assertion in Varnish Cache

Published: 2022-08-09 | Updated: 2022-11-28

Vulnerability identifier: #VU66219

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-38150

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Varnish Cache
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Varnish Software

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when processing HTTP/1 responses from configured backends. A remote attacker with ability to influence server response can pass specially crafted reason phrase of the backend response status line and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Varnish Cache: 7.1.0, 7.0.0 - 7.0.2

External links
http://docs.varnish-software.com/security/VSV00009

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 22.03 LTS update for varnish

Denial of service in Varnish Cache