As BSI studies, an IT safety alert a couple of identified Varnish HTTP Cache vulnerability has obtained an replace. You can learn an outline of the safety hole together with the newest updates and details about affected working programs and merchandise right here.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: Red Hat Security Advisory RHSA-2024:3305 (From 23 May 2024). Some helpful sources are listed later on this article.
Security advisory for Varnish HTTP Cache – Risk: average
Risk stage: 3 (average)
CVSS Base Score: 7.5
CVSS provisional rating: 6.5
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of pc programs. The CVSS normal makes it doable to match potential or precise safety dangers based mostly on numerous standards with a view to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. For short-term impact, body circumstances that will change over time are thought of within the check. According to CVSS, the chance of the vulnerability talked about right here is rated as “average” with 7.5 foundation factors.
Varnish’s HTTP cache bug: A vulnerability allows a denial of service
Varnish is a reverse proxy used as an HTTP accelerator.
A distant, unknown attacker might exploit a vulnerability within the Varnish HTTP cache to conduct a denial of service assault.
Vulnerabilities had been categorized utilizing the CVE (Common Vulnerabilities and Exposures) reference system for every serial quantity CVE-2024-30156.
About safety hole merchandise at a look
Products
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
Oracle Linux (cpe:/o:oracle:linux)
RESF Rocky Linux (cpe:/o:resf:rocky_linux)
Open Source Varnish HTTP Cache Open Source Varnish HTTP Cache Open Source Varnish HTTP Cache Open Source Varnish HTTP Cache
General suggestions for addressing IT safety gaps
- Users of affected programs ought to keep up-to-date. When safety holes are identified, producers are required to repair them rapidly by creating a patch or workaround. When new safety updates can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This typically comprises extra details about the newest model of the software program in query and the supply of safety patches or efficiency suggestions.
- If you’ve any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to examine each time a producing firm makes a brand new safety replace out there.
Manufacturer details about updates, patches and workarounds
Here one can find some hyperlinks with details about bug studies, safety fixes and workarounds.
Red Hat Security Advisory RHSA-2024:3305 vom 2024-05-23 (22.05.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:2938 vom 2024-05-21 (20.05.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:2820 vom 2024-05-13 (12.05.2024)
For extra info, see:
Rocky Linux Security Advisory RLSA-2024:1690 vom 2024-05-06 (06.05.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:2700 vom 2024-05-06 (05.05.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-1691 vom 2024-04-09 (09.04.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-1690 vom 2024-04-09 (09.04.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1689 vom 2024-04-08 (07.04.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1691 vom 2024-04-08 (07.04.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1690 vom 2024-04-08 (07.04.2024)
For extra info, see:
Github Advisory (24.03.2024)
For extra info, see:
NIST Vulnerability Database vom 2024-03-24 (24.03.2024)
For extra info, see:
Varnish Security Advisory vom 2024-03-24 (24.03.2024)
For extra info, see:
Version historical past of this safety alert
This is model 8 of this IT safety discover for Varnish HTTP Cache. If additional updates are introduced, this doc can be up to date. You can examine adjustments or additions on this model historical past.
March 24, 2024 – First model
04/07/2024 – New updates from Red Hat have been added
04/09/2024 – New Oracle Linux updates added
05/05/2024 – New updates from Red Hat have been added
May 6, 2024 – New updates from the Rocky Enterprise Software Foundation have been added
May 12, 2024 – New updates from Red Hat have been added
May 20, 2024 – New updates from Red Hat have been added
05/22/2024 – New updates from Red Hat have been added
+++ Editorial notice: This doc is predicated on present BSI knowledge and can be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here one can find sizzling information, present movies and a direct line to the editorial group.
kns/roj/information.de