Lucene search

K
freebsdFreeBSDF25A34B1-910D-11EE-A1A2-641C67A117D8
HistoryNov 13, 2023 - 12:00 a.m.

varnish -- HTTP/2 Rapid Reset Attack

2023-11-1300:00:00
vuxml.freebsd.org
16
varnish cache
http/2 protocol
denial of service
attack
http/2 rapid reset
unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

Low

EPSS

0.708

Percentile

98.1%

Varnish Cache Project reports:

A denial of service attack can be performed on Varnish Cache servers
that have the HTTP/2 protocol turned on. An attacker can create a large
volume of streams and immediately reset them without ever reaching the
maximum number of concurrent streams allowed for the session, causing
the Varnish server to consume unnecessary resources processing requests
for which the response will not be delivered.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchvarnish7< 7.4.2UNKNOWN
FreeBSDanynoarchvarnish6< 6.6.3UNKNOWN

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

Low

EPSS

0.708

Percentile

98.1%