varnish: DoS attack vector (CVE-2019-15892)
An HTTP/1 parsing failure has been uncovered in Varnish Cache that will allow a remote attacker to trigger an assert in Varnish Cache by sending specially crafted HTTP/1 requests. The assert will cause Varnish to automatically restart with a clean cache, which makes it a Denial of Service attack. The problem was uncovered by internal testing at Varnish Software. It has to the best of our knowledge not been exploited.
The following is required for a successful attack:
The attacker must be able to send multiple HTTP/1 requests processed on the same HTTP/1 keepalive connection. Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Affected Versions:
6.1.0 and forward 6.0 LTS by Varnish Software up to and including 6.0.3
Fixed In Version:
6.2.1 6.0.4 LTS by Varnish Software