Security, bugs & vulnerabilities

  • Rev. 2021-08-17 phk

List of all Varnish CVEs

Versions

CVE

What

5.x, 6.x, 7.x

CVE-2023-43622

VSV00014 Varnish HTTP/2 Broke Window Attack

5.x, 6.x, 7.x

CVE-2023-44487

VSV00013 Varnish HTTP/2 Rapid Reset Attack

vmod_digest

CVE-2023-41104

VSV00012 Base64 decoding vulnerability in vmod-digest

6.x, 7.x

CVE-2022-45060

VSV00011 Varnish HTTP/2 Request Forgery Vulnerability

7.0, 7.1, 7.2

CVE-2022-45059

VSV00010 Varnish Request Smuggling Vulnerability

7.0, 7.1

CVE-2022-38150

VSV00009 Varnish Denial of Service Vulnerability

< 7.0.2

CVE-2022-23959

VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability

6.0, 6.5, 6.6

CVE-2021-36740

VSV00007 Varnish HTTP/2 Request Smuggling Attack

(6.5)

CVE-2021-28543

VSV00006 varnish-modules Denial of Service

6.0, 6.2, 6.3

CVE-2020-11653

VSV00005 Varnish HTTP Proxy Protocol V2 Denial of Service

6.0, 6.2, 6.3

CVE-2019-20637

VSV00004 Workspace information leak

6.0, 6.2

CVE-2019-15892

VSV00003 DoS attack vector

4.1, 5.2

CVE-2017-8807

VSV00002 Data leak - ‘-sfile’ Stevedore transient objects

4.x, 5.x

CVE-2017-12425

VSV00001 DoS vulnerability

< 3.0.5

CVE-2013-4484

DoS

<= 3.0.3

CVE-2013-0345

Local information leak

2.0.6

CVE-2009-4488

Trophy hunting

< 2.1.0

CVE-2009-2936

Trophy hunting

We take security and quality very seriously in the Varnish project, and we are more than a little proud that it took eleven years before we had a major security issue.

I have found a security hole

Send email to Poul-Henning, Nils and Martin: Email addresses and GPG keys

I want to hear about security vulnerabilities

Subscribe to the Varnish Announce mailing list

Vulnerabilities are and will also be listed further at the top of this page when they are new and further down when they get older.

I’m a VIVU goddammit!

Varnish users come in all sizes and importance, some are private homepages, some are global CDNs, national governments or major news outlets.

We want to provide some way to for Varnish users to get early warning about future security incidents, but we do not want to pass judgement on who are “Very Important Varnish Users” and much less to we want to try to keep a list of up to date contact information for a list that long.

We also don’t want to make this information free, because if we did, every criminal and his brother would sign up, to get a head start against the Varnish users.

The rule going forward is therefore that if you contributed at least EUR240 towards a Varnish Moral License in the 12 months previous to the disclosure-date, you will get early warning about security issues.

On a case-by-case basis and purely at our discretion, we will also extend this privilege to people who have contributed significantly to the project in other ways.

Security Politics

To be totally honest, this is section is quite speculative, we have very little experience in this area, but this is how I expect we would react to a major security issue:

  • Assign a VSV number

  • Try to get a CVE assigned.

  • Create a VCL workaround, if at all possible.

  • Fix the problem.

  • If it makes sense (ie: no VCL workaround), roll a point-release.

  • Announce on announce@varnish-cache.org and homepage.

  • Kick ourselves, for months, for missing the bug.

Define “Major”

As you will notice if you peruse the CVEs listed above, we are not kindly inclined to trophy-hunting and shrill alarmism.

If security advisories are to have any utility, they should be both rare and relevant.

In particularly we do not consider it a security vulnerability that somebody has a different taste in program architecture, or that aliens might be able to DoS varnish servers if they have invented quantum computers we cannot even comprehend.

On the other hand, if we find anything, on our own or thanks to external contributors, which imperil Varnish users, we will not hesitate to issue a CVE to get peoples attention.

11 years, really?

Yes, indeed. Luck probably has a lot to do with it, but luck tends to favour the well-prepared, and we have had a big focus on quality since the very start.

Here is a piece I wrote about it last year