An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.
References
Link | Resource |
---|---|
http://www.debian.org/security/2017/dsa-3924 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1477222 | Issue Tracking Third Party Advisory |
https://bugzilla.suse.com/show_bug.cgi?id=1051917 | Issue Tracking Third Party Advisory |
https://github.com/varnishcache/varnish-cache/issues/2379 | Third Party Advisory |
https://lists.debian.org/debian-security-announce/2017/msg00186.html | Mailing List Third Party Advisory |
https://www.varnish-cache.org/security/VSV00001.html#vsv00001 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-08-04T09:00:00
Updated: 2017-11-03T18:57:01
Reserved: 2017-08-04T00:00:00
Link: CVE-2017-12425
JSON object: View
NVD Information
Status : Modified
Published: 2017-08-04T09:29:00.237
Modified: 2022-08-02T19:13:18.077
Link: CVE-2017-12425
JSON object: View
Redhat Information
No data.
CWE