CVE-2020-11653: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. The vulnerability occurs when communication with a TLS termination proxy uses PROXY version 2, which can lead to an assertion failure and daemon restart, causing a performance loss. The vulnerability was assigned CVE-2020-11653 and was disclosed on April 8, 2020 (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically manifests when Varnish Cache communicates with a TLS termination proxy using PROXY version 2 protocol. The vulnerability is categorized under CWE-617 (Reachable Assertion) (NVD).

When exploited, the vulnerability causes an assertion failure that forces the Varnish daemon to restart. This restart results in an empty cache, leading to reduced overall performance due to increased cache misses and potentially higher load on backend servers. There is no potential for remote code execution or data leaks related to this vulnerability (Varnish Advisory).

Several mitigation strategies are available: 1) Switch to proxy protocol version 1, which is not affected by this vulnerability, 2) When using Hitch as TLS proxy, add the sni-nomatch-abort option to configuration, 3) Increase the session workspace to 34k by adding '-p workspace_session=34k' to the varnishd command line. The issue has been fixed in Varnish Cache versions 6.2.3, 6.3.2, and 6.0.6 LTS (Varnish Advisory).