January 8, 2018
This security advisory applies to those customers whose Fastly services received data in request bodies with GET and/or HEAD methods between August 31st and November 4th of 2017. If you did not, this does not apply to you.
From August 31st through November 4th, Fastly deployed a version of Varnish which contained a security bug that, in a limited and non-standard set of configurations, disclosed request bodies to other customer origins. In these cases, a request body sent to an affected Fastly customer's service would have been included in a malformed request to a different customer's origin, which may have been logged in that origin web server's access logs.
This issue affected an uncommon scenario: customers whose services received GET or HEAD requests with request bodies. According to RFC 7231 section 4.3.1, web servers are not obligated to treat a GET or HEAD request with a body as valid. These kind of requests are not sent during the course of regular web browsing behavior. Most instances that we saw were consistent with malformed requests or bot traffic.
Customers may have been affected if they built custom clients that submitted such requests. Fastly has not historically supported these requests, making the affected scenario unlikely. The disclosed data in all cases consisted of request bodies, and did not include request headers (such as cookies) or responses.
Fastly performed a comprehensive assessment to identify customers most likely to be affected by this issue. These customers have been contacted directly by Fastly Customer Engineering.
If the specific criteria described in the "Summary" section were satisfied, request bodies could have potentially been disclosed by prepending all or a portion of the request body to a request intended for another customer’s origin. There it would have been rejected as a malformed request, and potentially logged in the origin web server’s access logs, depending on that server’s configuration.
Deployment of a fixed version of Varnish, which fully addressed the issue, was completed on November 4th, 2017 at 14:46 UTC. This version was deployed as part of corrective action for what was believed to be solely a reliability issue. No requests after this date were affected by this vulnerability.
A post-mortem investigation by the Fastly security team on November 17th determined that this issue may have resulted in some data disclosure. In order to identify the scenarios in which this limited disclosure may have taken place, Fastly built a test environment with the affected version, and validated individual customer configurations, leading to the extended timeline of this event.
The exact root cause and impact was determined on December 8th, 2017, which resulted in the publication of this security advisory. Customers do not need to take any action to address this issue, as the issue has been fully addressed as of November 4th, 2017.
If you have any further questions, please contact Fastly Customer Engineering.