Vulnerabilities > CVE-2015-8852
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 | |
| OS | 1 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201607-10.NASL description The remote host is affected by the vulnerability described in GLSA-201607-10 (Varnish: Multiple vulnerabilities) Varnish fails to properly validate input from HTTP headers, and does not deny requests with multiple Content-Length headers. Impact : Remote attackers could conduct an HTTP response splitting attack, which may further enable them to conduct Cross-Site Scripting (XSS), Cache Poisoning, Defacement, and Page Hijacking. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 92480 published 2016-07-21 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92480 title GLSA-201607-10 : Varnish: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201607-10. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(92480); script_version("$Revision: 2.2 $"); script_cvs_date("$Date: 2016/10/10 14:25:16 $"); script_cve_id("CVE-2015-8852"); script_xref(name:"GLSA", value:"201607-10"); script_name(english:"GLSA-201607-10 : Varnish: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201607-10 (Varnish: Multiple vulnerabilities) Varnish fails to properly validate input from HTTP headers, and does not deny requests with multiple Content-Length headers. Impact : Remote attackers could conduct an HTTP response splitting attack, which may further enable them to conduct Cross-Site Scripting (XSS), Cache Poisoning, Defacement, and Page Hijacking. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201607-10" ); script_set_attribute( attribute:"solution", value: "All Varnish users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-servers/varnish-3.0.7'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:varnish"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-servers/varnish", unaffected:make_list("ge 3.0.7"), vulnerable:make_list("lt 3.0.7"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Varnish"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-588.NASL description This varnish update to version 3.0.7 fixes the following issues : Security issues fixed : - CVE-2015-8852: Vulnerable to HTTP Smuggling issues: Double Content Length and bad EOL. (boo#976097) Bugs fixed : - Stop recognizing a single CR (\r) as a HTTP line separator. - Improved error detection on master-child process communication, leading to faster recovery (child restart) if communication loses sync. - Fix a corner-case where Content-Length was wrong for HTTP 1.0 clients, when using gzip and streaming. - More robust handling of hop-by-hop headers. - Avoid memory leak when adding bans. last seen 2020-06-05 modified 2016-05-18 plugin id 91205 published 2016-05-18 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91205 title openSUSE Security Update : varnish (openSUSE-2016-588) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3553.NASL description Regis Leroy from Makina Corpus discovered that varnish, a caching HTTP reverse proxy, is vulnerable to HTTP smuggling issues, potentially resulting in cache poisoning or bypassing of access control policies. last seen 2020-06-01 modified 2020-06-02 plugin id 90686 published 2016-04-25 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90686 title Debian DSA-3553-1 : varnish - security update NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-721.NASL description Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. (CVE-2015-8852) last seen 2020-06-01 modified 2020-06-02 plugin id 92223 published 2016-07-15 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92223 title Amazon Linux AMI : varnish (ALAS-2016-721)
References
- http://www.debian.org/security/2016/dsa-3553
- http://www.openwall.com/lists/oss-security/2016/04/16/1
- https://github.com/varnish/Varnish-Cache/commit/29870c8fe95e4e8a672f6f28c5fbe692bea09e9c
- http://www.openwall.com/lists/oss-security/2016/04/18/7
- https://github.com/varnish/Varnish-Cache/commit/85e8468bec9416bd7e16b0d80cb820ecd2b330c3
- https://www.varnish-cache.org/lists/pipermail/varnish-announce/2015-March/000701.html
- https://security.gentoo.org/glsa/201607-10
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00064.html