CVE-2013-4484 – Varnish Cache Denial Of Service

https://notcve.org/view.php?id=CVE-2013-4484

Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. Vulnerablilidad en Varnish antes de 3.0.5 permite a atacantes remotos provocar una denegación de servicio (caída del proceso hijo y corte de caché temporal) a través de una solicitud GET con espacios en blanco finales y sin URI. If Varnish receives a certain illegal request, and the subroutine 'vcl_error{}' restarts the request, the varnishd worker process will crash with an assert. The varnishd management process will restart the worker process, but there will be a brief interruption of service and the cache will be emptied, causing more traffic to go to the backend. Versions 2.0.x, 2.1.x, and 3.0.x are affected. • http://archives.neohapsis.com/archives/bugtraq/2013-10/0158.html http://lists.opensuse.org/opensuse-updates/2013-11/msg00029.html http://lists.opensuse.org/opensuse-updates/2013-11/msg00033.html http://secunia.com/advisories/55452 http://secunia.com/advisories/55746 http://www.debian.org/security/2012/dsa-2814 http://www.openwall.com/lists/oss-security/2013/10/30/5 https://www.varnish-cache.org/trac/ticket/1367 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •