[oss-security] Varnish - no CVE == bug regression

Poul-Henning Kamp phk at phk.freebsd.dk
Sat Jul 5 16:36:52 CEST 2014


I have just read the followup discussion and will add these comments:

First of all, if you want an overview of the security design of
Varnish, it is here:

	https://www.varnish-cache.org/docs/trunk/phk/barriers.html

Second, since Varnish serves HTTP, a DoS is not something out of
the ordinary.  It happens all the time to our users, we consider
DoS attacks a fact of life.  The better we handle them, the better we
handle them, but we will never be able to cope with them all,
not in a world where Evil botnets or Good authors can point millions
of browsers at the same web property in an instant.

Third, with respect to "never trusting input":  Varnish doesn't.
But in some cases we distust with an assert.  Either because it is
an utterly pathological situation where no sane handling or recovery
is possible or because the condition is so rare that our time is
better spent improving quality and error handling elsewhere.

Fourth, comparisons to root-shells and OpenSSL ciphers ?  Really ?
Has nobody told you that a bad analogy is like a wet screwdriver ?

Fifth, some of you have a really weird definition of "DoS", and
since the same people seem very fond of analogies, I'll answer with
one:  When I say "Varnish trust the backend backend", I mean that
it does so because that is its job.  The backend is the guitar,
Varnish is the PA system.  If you plug the guitar cable into 110VAC,
you don't expect the PA to generate an 60Hz earthquake, you expect
it to blow a fuse.  In Varnish that "fuse" is an assert.  If, like
most PA systems, such abuse left Varnish as an irepairable smoking
environmental hazard, *then* I would agree that it constituted a
DoS, but the "fuse" in Varnish self-repairs in a fraction of a
second, and as soon as you plug a working microphone back in again,
Varnish will keep on rocking with you.  Would it be better not to
blow the fuse ? Sure.  Does it matter ?  Not really.

Sixth, people building CDNs for third party traffic with Varnish
had better know what they're doing, since that is (slightly) outside
Varnish security and authority design.  The CDNs I know about do
know what they're doing.  (There may be others.)

(If there are any questions, please keep me in the CC: I'm not
on the oss-sec list).

Poul-Henning

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-misc mailing list