Akamai Technologies, Inc.

Notified:  October 04, 2019 Updated: January 14, 2020

Status

  Affected

Vendor Statement

Akamai acknowledges this issue and has been aware of similar research in the past. This advisory highlights a reflected XSS vulnerability in origin web applications that exists whether or not a CDN is involved, exacerbated by having responses cached. HTTP header values can be crafted by the attacker to include malicious payloads, which will then be stored in the cache and sent when subsequent requests are made for the same content. In essence, this is a traditional reflected XSS attack, elevated to a stored XSS due to caching by CDNs. Website operators should treat HTTP headers as an injection vector that must be validated prior to being parsed. Akamai can work with site operators to help create mitigation strategies specific to their systems. Header values presented to customer's application should be considered untrusted input and validated before use.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Amazon

Notified:  October 04, 2019 Updated: January 14, 2020

Status

  Affected

Vendor Statement

Amazon acknowledges the HTTP Cache Poisoning issue and see this as part of AWS's shared security responsibility model with Amazon's customers. CloudFront follows the standards defined in RFC 7234 when defining cache keys, which are used to identify cached content. Customers are further able to specify the headers that CloudFront considers when caching objects The issue described needs to be addressed using CloudFront distribution configuration. Customers can also use AWS Web Application Firewall (WAF) to deploy Access Control Lists (ACLs) in front of their CloudFront distributions, which adds a layer of defense to CloudFront distributions by defining which traffic will be permitted to reach the associated distribution

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Cloudflare

Notified:  October 15, 2019 Updated: January 14, 2020

Status

  Affected

Vendor Statement

Cloudflare is aware of the issue and has done some mitigations in the past. Most of the cause is due to back end web server or origin of the content. In addition to those blog posts, we direct customers to information about how our cache works: https://support.cloudflare.com/hc/en-us/articles/200172516-Understanding-Cloudflare-s-CDN#h_51422705-42d0-450d-8eb1-5321dcadb5bc Most CDNs cache what customer origins tell us to cache (respecting cache control headers), so most of these cache poisoning issues are on the origin side and not the CDN side. Cloudflare sensitive to what the customer requests to be cached, when possible Cloudflare prevents caching of dynamic content that is specific to one user (for example a distinct Set-Cookie header observed).

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References