CVE-2017-8807: Buffer Overflow
First published: Wed Nov 15 2017(Updated: )
vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/varnish | 6.1.1-1+deb10u3 6.1.1-1+deb10u4 6.5.1-1+deb11u3 7.1.1-1.1 | |
| Varnish-cache Varnish | >=4.1.0<4.1.9 | |
| Varnish Cache Project Varnish Cache | >=5.0.0<5.2.1 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/varnishcache/varnish-cache/pull/2429
- https://security-tracker.debian.org/tracker/CVE-2017-8807
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8807
- https://varnish-cache.org/security/VSV00002.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881808
- http://varnish-cache.org/security/VSV00002.html
- https://github.com/varnishcache/varnish-cache/commit/176f8a075a
- http://www.securityfocus.com/bid/101886
- https://bugs.debian.org/881808
- https://github.com/varnishcache/varnish-cache/commit/176f8a075a963ffbfa56f1c460c15f6a1a6af5a7
- https://www.debian.org/security/2017/dsa-4034
Frequently Asked Questions
What is CVE-2017-8807?
CVE-2017-8807 is a vulnerability in Varnish HTTP Cache that allows remote attackers to obtain sensitive information from process memory.
How does CVE-2017-8807 work?
CVE-2017-8807 works by exploiting a larger buffer than intended in certain circumstances involving Stevedore tran..
What is the severity of CVE-2017-8807?
The severity of CVE-2017-8807 is critical, with a severity value of 9.1.
Which software versions are affected by CVE-2017-8807?
Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1, as well as certain versions of Debian Debian Linux and Microsoft .NET 6.0 are affected by CVE-2017-8807.
How can I fix CVE-2017-8807?
To fix CVE-2017-8807, update Varnish HTTP Cache to version 4.1.9 or higher for 4.1.x, or version 5.2.1 or higher for 5.x. If using Debian Debian Linux or Microsoft .NET 6.0, apply the relevant security patches.
- collector/debian-bugs
- alias/CVE-2017-8807
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/varnish-cache
- canonical/varnish-cache varnish
- version/varnish-cache varnish/4.1.0
- vendor/varnish cache project
- canonical/varnish cache project varnish cache
- version/varnish cache project varnish cache/5.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0