CVE-2017-12425

Name of the Vulnerable Software and Affected Versions Varnish HTTP Cache versions 4.0.1 through 4.0.4 Varnish HTTP Cache versions 4.1.0 through 4.1.7 Varnish HTTP Cache version 5.0.0 Varnish HTTP Cache versions 5.1.0 through 5.1.2

Description An issue was discovered in the varnishd source code, where a wrong if statement can cause the varnishd worker process to abort and restart when particular invalid requests are made from the client. This is related to an Integer Overflow, which can trigger an assert. As a result, an attacker can crash the varnishd worker process on demand, effectively preventing it from serving content, thus achieving a Denial-of-Service attack.

Recommendations For Varnish HTTP Cache versions 4.0.1 through 4.0.4, update to a version outside of this range to mitigate the risk. For Varnish HTTP Cache versions 4.1.0 through 4.1.7, update to a version outside of this range to mitigate the risk. For Varnish HTTP Cache version 5.0.0, update to a version outside of this specific version to mitigate the risk. For Varnish HTTP Cache versions 5.1.0 through 5.1.2, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the varnishd worker process to minimize the risk of exploitation.