A serious security vulnerability (CVE-2024-30156) has been uncovered in Varnish Cache, a widely used tool for boosting website speed and performance. Attackers can exploit this flaw to launch denial-of-service (DoS) attacks, potentially taking down large, content-rich websites.
What is Varnish Cache?
Varnish Cache is a powerful web application accelerator that acts as a “go-between” for web servers and visitors. It speeds up websites by storing cached copies of frequently requested content. When a user visits a Varnish-protected site, Varnish can often serve up the content directly, without bothering the main web server. This dramatically reduces server load and improves website responsiveness.
The Flaw: “Broke Window Attack”
The newly discovered vulnerability allows an attacker to disrupt Varnish Cache’s handling of HTTP/2 connections. By manipulating the way Varnish processes data, an attacker can essentially freeze the software, causing it to hold onto resources and preventing it from serving legitimate traffic. This is known as a “Broke Window Attack”.
Who’s at Risk?
Any organization using an affected version of Varnish Cache with HTTP/2 support enabled is at risk. This includes:
- Varnish Cache releases prior to 7.5.x, 7.4.3, 7.3.2, or 6.0.13 LTS
- Varnish Enterprise (commercial) versions up to and including 6.0.12r5
Urgent Action Required
Security teams and web administrators using Varnish Cache need to take action immediately:
- Upgrade: Upgrade as quickly as possible to a patched version of Varnish Cache.
- Disable HTTP/2 (Temporary): If immediate upgrades are impossible, disable HTTP/2 support as a short-term mitigation. Note that this might slightly impact website performance.
Importance of Patching
Staying on top of security updates is crucial to protect against web-based attacks. Unpatched systems using Varnish Cache are particularly vulnerable to DoS attacks, which can cripple websites and cause serious disruptions for businesses.
