A flaw was found in the Varnish cache server, with HTTP/2 support enabled, that may allow a Denial of Service type of attack. A malicious actor can cause the server to run out of credits during the HTTP/2 connection control flow. As a consequence, the server will stop to properly process the active HTTP streams, retaining the already allocated resources, leading to resource starvation.
A possible mitigation for this issue is to disable http2 support until the package can be updated.
This can be performed by running the following command:
varnishadm param.set feature -http2
Note: you must remove h2
from the list of protocols if your TLS terminator is advertising it with ALPN.
It's also possible to use the MAIN.sc_bankrupt
counter to monitor possible on-going attacks to the varnish server.