Varnish Enterprise Out-of-Bounds Read Vulnerability in MSE4 Stevedore Objects Allowing Information Disclosure

An out-of-bounds read vulnerability has been identified in Varnish Enterprise versions prior to 6.0.13r13. This vulnerability allows remote attackers to access sensitive information by exploiting range requests on ephemeral objects managed by the MSE4 stevedore. The issue arises from incorrect buffer boundary calculations, which can lead to arbitrary data from the server's memory being leaked to clients. This vulnerability is specific to Varnish Enterprise instances using the MSE4 storage engine, and it could potentially expose cached content from other objects or internal data structures, such as TLS certificates.

Impact

Exploitation of this vulnerability can result in unauthorized information disclosure, with leaked data likely consisting of cached content from unrelated objects or internal data structures, including TLS certificates.

Remediation

Users are advised to upgrade Varnish Enterprise to version 6.0.13r13 or later. If an immediate upgrade is not possible, a VCL workaround can be applied to disable range request handling for cache hits on ephemeral MSE4 objects. This workaround involves modifying the `vcl_hit` function to turn off range support for these objects.