Fastly Security Research Team

Fastly Security Research Team, Fastly

The Fastly Security Research Team focuses on ensuring our customers have the tools and data available to them to keep their systems secure. They analyze and ultimately help prevent attacks at Fastly scale. The team is a group of behind-the-scenes security experts who are here to help you stay on the cutting edge of the ever-evolving security landscape.

Show bio

Page 3 of 3

• Incorrect service routing involving HTTP/2 client connections

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On November 11, 2019, at 21:57 UTC, Fastly deployed a new build of its HTTP/2 termination software to two Fastly cache servers in the Minneapolis-St.Paul (STP) data center. This build contained a processing flaw involving connection re-use between internal Fastly systems (unrelated to HTTP/2 multiplexing), and caused some incoming HTTP/2 requests for Fastly customers’ services to potentially be routed incorrectly to a group of up to 20 different Fastly customers’ services and origins. This led to some client request data being delivered to, and a response returned by, an incorrect customer origin. The customers whose origins erroneously received these requests may have logged the incorrectly-routed request data. Fastly was first notified by a customer of a client error on November 12, 2019, at 23:07 UTC. On November 13, 2019, at 00:50 UTC, all customer traffic was diverted away from the affected data center. Fastly immediately commenced an investigation, and on November 14, 2019, at 00:31 UTC, we validated the presence of incorrectly routed request data in a customer’s logs. We estimate this flaw affected 0.00016% of our global request traffic during the 27-hour period. It is unlikely that affected client requests came from outside of North America. Because Fastly does not store customer log data, we are not able to say with certainty if an affected request was incorrectly routed.

  November 14, 2019

  Security

• Cache Poisoning Leveraging Various X-Headers

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On Thursday, August 9th, research was published at Black Hat USA 2018 on cache poisoning attacks against websites deployed behind caching infrastructure. These attacks could allow an attacker to inject arbitrary content into a victim’s cache. Fastly service configurations that do not take into consideration the interaction between headers that backends use to select content may be vulnerable. This risk can be fully mitigated via a VCL patch or by modifying backend configurations.

  August 13, 2018

  Security

• Vulnerability in Linux Kernel TCP implementation

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On August 6, 2018, a vulnerability in the Linux kernel TCP implementation, called SegmentSmack, was publicly disclosed. This vulnerability allowed a remote attacker to cause a denial-of-service attack on a target server by simply establishing a TCP connection to the server and sending specific segments over the connection. Fastly has worked with the security community in advance of this disclosure to address this vulnerability in our edge networks. They pose no threat to Fastly customers.

  August 06, 2018

  Security

• Vulnerability in modern processors

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On Wednesday, January 3rd, research was published on a class of security vulnerabilities affecting specific processors. These vulnerabilities could allow a user who can execute code on a system to gain unauthorized access to information across security boundaries. Fastly has completed initial analysis of these vulnerabilities and does not believe they pose an immediate threat to Fastly customers.

  January 09, 2018

  Security

• Request body disclosure to other Fastly services

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  From August 31st through November 4th, Fastly deployed a version of Varnish which contained a security bug that, in a limited and non-standard set of configurations, disclosed request bodies to other customer origins. In these cases, a request body sent to an affected Fastly customer's service would have been included in a malformed request to a different customer's origin, which may have been logged in that origin web server's access logs. Fastly performed a comprehensive assessment to identify customers most likely to be affected by this issue. These customers have been contacted directly by Fastly Customer Engineering.

  January 08, 2018

  Security

• Vulnerability in Fastly open source CDN module intended to be integrated into Magento2

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  During the investigation of a customer report, Fastly became aware of and addressed a security vulnerability (CVE-2017-13761) in the Fastly CDN module intended to be integrated into Magento2. This is open source code which Fastly releases to enable easy integration with our partner’s products. All versions prior to 1.2.26 are affected and customers are encouraged to upgrade. Fastly has reached out directly to customers currently using affected versions of the module.

  September 12, 2017

  Security

• Resolved: Fastly “forward secrecy” vulnerability

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On Monday, November 14, 2016, security researchers published a paper “Measuring the Security Harm of TLS Crypto Shortcuts.” Among other findings across the TLS implementation of several sites, the paper identified Fastly as not frequently rotating TLS session tickets, limiting the effectiveness of forward secrecy. While Fastly was not directly contacted by the researchers, Fastly had previously been made aware of the issue, and this vulnerability was addressed on Friday, November 11. No customer action is required to benefit from the fix.

  November 16, 2016

  Security

• Widespread Dyn DNS outage affecting Fastly customers

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On October 21st, 2016, Dyn, a major managed DNS provider, experienced a Distributed Denial of Service attack, which led to outages affecting several major websites, including Fastly infrastructure (such as the Fastly Control Panel and API) and Fastly customers. Fastly worked with our additional managed DNS providers to ensure availability during the incident. This mitigated impact on Fastly customers.

  October 21, 2016

  Security

• GlobalSign TLS certificate revocation errors

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On October 13, 2016 around 11:10am GMT, users visiting websites using GlobalSign TLS certificates, including some hosted by Fastly, started experiencing TLS certificate validation errors. This issue was caused by incorrect certificate revocation information published by our certificate vendor, GlobalSign. This security advisory describes the root cause of this issue, and describes the actions Fastly has taken to limit customer impact.

  October 18, 2016

  Security

• Vulnerability in use of HTTP_PROXY by CGI

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On Monday, July 18, 2016, security researchers published information on a vulnerability in the handling of the HTTP_PROXY environment variable by specific Common Gateway Interface (CGI) scripts. While this vulnerability does not affect Fastly, web servers used as origins may run a variety of scripts, some of which may be vulnerable. This Security Advisory provides guidance to customers on how they can protect origin servers from attacks.

  July 18, 2016

• DROWN Attack & Fastly

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  Today in conjunction with an OpenSSL Security Advisory several researchers announced a new attack on HTTPS they are calling “Decrypting RSA with Obsolete and Weakened Encryption,” or DROWN. Due to Fastly’s existing TLS configuration, our services, and customers using Fastly as their CDN, are not vulnerable to this attack.

  March 01, 2016

• Securing Edge-To-Origin TLS

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  Fastly has fixed a problem in our default Transport Layer Security (TLS) configuration that prevented proper certificate validation when connecting to customer origin servers. Services created after September 6th, 2015 were not affected. This advisory describes the issue to inform our customers of the potential exposure, the fix we’ve made, and additional improvements we’re making. This vulnerability has been assigned Fastly Security severity rating of HIGH.

  February 18, 2016

  Security

• CVE-2015-7547 Buffer Overflow in glibc

  Fastly Security Research Team, The Fastly Security Technical Account Management Team

  On Tuesday, February 16th, researchers published details about a new vulnerability in the glibc library, a standard C library. The vulnerability existed in the code used to translate hostnames into IP addresses. Processes that use it are very common across network service providers, such as CDNs. Fastly immediately implemented a security update on affected systems. No customer action is required. Fastly’s service was not impacted.

  February 16, 2016

  Security