EZSA-2020-002: Unauthorised cache purge with misconfigured Fastly

Publication date:
11/03/2020 16:12

Severity:
High

Affected versions: eZ Platform with eZ Cloud (Platform.sh) and Fastly
Resolving versions: N/A (follow documented recommendation)

This Security Advisory is about a potential vulnerability in how cache is purged when using eZ Platform with eZ Cloud (Platform.sh) and Fastly. We say "potential vulnerability", because when eZ Platform is correctly configured for this setup, it's not vulnerable. But if the configuration is not correct, there's a vulnerability that could be abused by an attacker to purge all caches on a target site repeatedly, leading to very poor performance and potential Denial-of-Service (DoS).

The configuration in question:
Varnish is enabled by default when deploying on Platform.sh. In order to use Fastly with eZ Platform, Varnish must be disabled, as is documented here:
https://docs.platform.sh/frameworks/ez/fastly.html#remove-varnish-configuration
This includes, among other things, removing this environment variable:
SYMFONY_TRUSTED_PROXIES: "TRUST_REMOTE"

All these conditions must be met to be vulnerable:
- Use eZ Platform on eZ Cloud (Platform.sh)
- Use Fastly
- Have not disabled Varnish

If you are vulnerable, please disable Varnish as documented and redeploy, as soon as possible.


Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ezplatform.com/en/latest/guide/reporting_issues/

All security advisories