Security, bugs & vulnerabilities

  • Rev. 2019-10-07 phk

List of all Varnish CVEs

Versions CVE What
6.0, 6.2, 6.3 CVE-2020-11653 VSV00005 Varnish HTTP Proxy Protocol V2 Denial of Service
6.0, 6.2, 6.3 CVE-2019-20637 VSV00004 Workspace information leak
6.0, 6.2 CVE-2019-15892 VSV00003 DoS attack vector
4.1, 5.2 CVE-2017-8807 VSV00002 Data leak - ‘-sfile’ Stevedore transient objects
4.x, 5.x CVE-2017-12425 VSV00001 DoS vulnerability
< 3.0.5 CVE-2013-4484 DoS
<= 3.0.3 CVE-2013-0345 Local information leak
2.0.6 CVE-2009-4488 Trophy hunting
< 2.1.0 CVE-2009-2936 Trophy hunting

We take security and quality very seriously in the Varnish project, and we are more than a little proud that it took eleven years before we had a major security issue.

I have found a security hole

Send email to Poul-Henning, Nils and Martin: Email addresses and GPG keys

I want to hear about security vulnerabilities

Subscribe to the Varnish Announce mailing list

Vulnerabilities are and will also be listed further at the top of this page when they are new and further down when they get older.

I’m a VIVU goddammit!

Varnish users come in all sizes and importance, some are private homepages, some are global CDNs, national governments or major news outlets.

We want to provide some way to for Varnish users to get early warning about future security incidents, but we do not want to pass judgement on who are “Very Important Varnish Users” and much less to we want to try to keep a list of up to date contact information for a list that long.

We also don’t want to make this information free, because if we did, every criminal and his brother would sign up, to get a head start against the Varnish users.

The rule going forward is therefore that if you contributed at least EUR240 towards a Varnish Moral License in the 12 months previous to the disclosure-date, you will get early warning about security issues.

On a case-by-case basis and purely at our discretion, we will also extend this privilege to people who have contributed significantly to the project in other ways.

Security Politics

To be totally honest, this is section is quite speculative, we have very little experience in this area, but this is how I expect we would react to a major security issue:

  • Assign a VSV number
  • Try to get a CVE assigned.
  • Create a VCL workaround, if at all possible.
  • Fix the problem.
  • If it makes sense (ie: no VCL workaround), roll a point-release.
  • Announce on announce@varnish-cache.org and homepage.
  • Kick ourselves, for months, for missing the bug.

Define “Major”

As you will notice if you peruse the CVEs listed above, we are not kindly inclined to trophy-hunting and shrill alarmism.

If security advisories are to have any utility, they should be both rare and relevant.

In particularly we do not consider it a security vulnerability that somebody has a different taste in program architecture, or that aliens might be able to DoS varnish servers if they have invented quantum computers we cannot even comprehend.

On the other hand, if we find anything, on our own or thanks to external contributors, which imperil Varnish users, we will not hesitate to issue a CVE to get peoples attention.

11 years, really?

Yes, indeed. Luck probably has a lot to do with it, but luck tends to favour the well-prepared, and we have had a big focus on quality since the very start.

Here is a piece I wrote about it last year