Security advisory: EZSA-2020-002

Unauthorised cache purge with misconfigured Fastly
Publication date:
11/03/2020, 16:12

Severity:
High

Affected versions: eZ Platform with eZ Cloud (Platform.sh) and Fastly
Resolving versions: N/A (follow documented recommendation)

This Security Advisory is about a potential vulnerability in how cache is purged when using eZ Platform with eZ Cloud (Platform.sh) and Fastly. We say "potential vulnerability", because when eZ Platform is correctly configured for this setup, it's not vulnerable. But if the configuration is not correct, there's a vulnerability that could be abused by an attacker to purge all caches on a target site repeatedly, leading to very poor performance and potential Denial-of-Service (DoS).


The configuration in question:

Varnish is enabled by default when deploying on Platform.sh. In order to use Fastly with eZ Platform, Varnish must be disabled, as is documented here:

https://docs.platform.sh/frameworks/ez/fastly.html#remove-varnish-configuration

This includes, among other things, removing this environment variable:

SYMFONY_TRUSTED_PROXIES: "TRUST_REMOTE"


All these conditions must be met to be vulnerable:

- Use eZ Platform on eZ Cloud (Platform.sh)

- Use Fastly

- Have not disabled Varnish

If you are vulnerable, please disable Varnish as documented and redeploy, as soon as possible.


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ezplatform.com/en/latest/guide/reporting_issues/

All security advisories