CVE-2019-15892
📋 TL;DR
CVE-2019-15892 is a denial-of-service vulnerability in Varnish Cache HTTP/1 parser. Attackers can send crafted HTTP/1 requests that trigger an assertion failure, causing Varnish to restart with a cleared cache. This affects Varnish Cache installations before patched versions.
💻 Affected Systems
- Varnish Cache
📦 What is this software?
Varnish Cache by Varnish Software
Varnish Cache by Varnish Cache Project
Varnish Cache by Varnish Cache Project
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with cache loss, requiring manual intervention to restore normal operations.
Likely Case
Service interruption during automatic restart, temporary performance degradation due to cold cache.
If Mitigated
Minimal impact with proper monitoring and rapid restart capabilities.
🎯 Exploit Status
Crafting malicious HTTP/1 requests requires moderate technical knowledge but tools could automate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.4 LTS, 6.2.1, or later
Vendor Advisory: https://varnish-cache.org/security/
Restart Required: Yes
Instructions:
1. Check current Varnish version. 2. Update to patched version via package manager. 3. Restart Varnish service. 4. Verify version and functionality.
🔧 Temporary Workarounds
HTTP/2 or HTTP/3 Only
allDisable HTTP/1 support if only HTTP/2 or HTTP/3 is required
# Configure Varnish to only accept HTTP/2/3 connections
Rate Limiting
linuxImplement rate limiting on HTTP/1 requests to reduce attack surface
# Use iptables or similar to limit connections per IP
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP
🧯 If You Can't Patch
- Implement network-level filtering to block suspicious HTTP/1 patterns
- Deploy redundant Varnish instances with load balancing to maintain service during restarts
🔍 How to Verify
Check if Vulnerable:
Run 'varnishd -V' and check if version is before 6.0.4 LTS, 6.1.x before 6.2.1, or 6.2.x before 6.2.1Check Version:
varnishd -VVerify Fix Applied:
Confirm version is 6.0.4 LTS, 6.2.1, or later using 'varnishd -V'📡 Detection & Monitoring
Log Indicators:
- Varnish assertion failures
- Unexpected restarts
- Cache cleared messages
Network Indicators:
- Malformed HTTP/1 requests with unusual headers or structure
SIEM Query:
source="varnish" AND ("assert" OR "restart" OR "panic")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/
- https://seclists.org/bugtraq/2019/Sep/5
- https://varnish-cache.org/security/VSV00003.html
- https://www.debian.org/security/2019/dsa-4514
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00069.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00089.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3OEOCYRU43TWEU2C65F3D6GK64MSWNNK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DBAQF6UDRSTURGINIMSMLJR4PTDYWA7C/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KLSF54TDJWJLINIFEW5V5BKDNY5EQRR3/
- https://seclists.org/bugtraq/2019/Sep/5
- https://varnish-cache.org/security/VSV00003.html
- https://www.debian.org/security/2019/dsa-4514
