FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

varnish -- DoS vulnerability in Varnish HTTP cache

Affected packages
varnish < 3.0.5


VuXML ID d9dbe6e8-84da-11e3-98bd-080027f2d077
Discovery 2013-10-30
Entry 2014-01-25

Varnish Cache Project reports:

If Varnish receives a certain illegal request, and the subroutine 'vcl_error{}' restarts the request, the varnishd worker process will crash with an assert.

The varnishd management process will restart the worker process, but there will be a brief interruption of service and the cache will be emptied, causing more traffic to go to the backend.

We are releasing this advisory because restarting from vcl_error{} is both fairly common and documented.

This is purely a denial of service vulnerability, there is no risk of privilege escalation.


Insert this at the top of your VCL file:

		sub vcl_error {
			if (obj.status == 400 || obj.status == 413) {

		Or add this test at the top of your existing vcl_error{}.


CVE Name CVE-2013-4484