CVE-2024-30156
📋 TL;DR
This vulnerability allows attackers to exhaust HTTP/2 connection flow control windows in Varnish Cache, causing denial of service. It affects Varnish Cache and Varnish Enterprise installations using HTTP/2. Attackers can disrupt service availability by sending specially crafted requests.
💻 Affected Systems
- Varnish Cache
- Varnish Enterprise
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for all HTTP/2 connections, making affected services unavailable to legitimate users.
Likely Case
Service degradation or intermittent outages affecting HTTP/2 clients, potentially causing performance issues.
If Mitigated
Minimal impact with proper rate limiting and monitoring in place, though service could still be affected during attacks.
🎯 Exploit Status
Attack requires sending HTTP/2 requests but no authentication. Exploit details are not publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varnish Cache: 7.3.2, 7.4.3, 6.0.13 LTS; Varnish Enterprise: 6.0.12r6
Vendor Advisory: https://varnish-cache.org/security/VSV00014.html
Restart Required: Yes
Instructions:
1. Download patched version from official Varnish repositories. 2. Stop Varnish service. 3. Install updated package. 4. Restart Varnish service. 5. Verify version with 'varnishd -V'.
🔧 Temporary Workarounds
Disable HTTP/2
allDisable HTTP/2 protocol support to eliminate vulnerability vector
varnishd -p feature=+http2 -p feature=-http2
Implement rate limiting
allLimit HTTP/2 connection requests to reduce attack effectiveness
Configure VCL with client.identity and vsthrottle
🧯 If You Can't Patch
- Implement network-level rate limiting for HTTP/2 traffic
- Monitor for abnormal HTTP/2 connection patterns and implement alerting
🔍 How to Verify
Check if Vulnerable:
Run 'varnishd -V' and check if version matches affected ranges. Also check if HTTP/2 is enabled in configuration.Check Version:
varnishd -VVerify Fix Applied:
Run 'varnishd -V' and confirm version is 7.3.2+, 7.4.3+, 6.0.13 LTS+, or Varnish Enterprise 6.0.12r6+.📡 Detection & Monitoring
Log Indicators:
- Unusual number of HTTP/2 connection resets
- Abnormal flow control window exhaustion messages
- Spike in HTTP/2 error rates
Network Indicators:
- High volume of HTTP/2 requests from single sources
- Abnormal HTTP/2 frame patterns
- Connection window size manipulation attempts
SIEM Query:
source="varnish" AND ("HTTP/2" OR "flow control") AND (error OR reset OR exhaustion)