Vigil@nce - Varnish: denial of service via Vary
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is located behind Varnish, can send a malicious
Vary header to Varnish, in order to trigger a denial of service.
Impacted products: Varnish
Severity: 2/4
Creation date: 03/07/2014
DESCRIPTION OF THE VULNERABILITY
The Varnish product is positioned as a cache in front of a web
server.
The HTTP Vary header indicates the list of headers to use in order
to decide how to cache a page.
However, if the web server indicates to Varnish a long Vary
header, an assertion error occurs in the http_GetHdr() function of
the cache/cache_http.c file.
An attacker, who is located behind Varnish, can therefore send a
malicious Vary header to Varnish, in order to trigger a denial of
service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Varnish-denial-of-service-via-Vary-14985