CVE-2023-50269: 
Squid vulnerability analysis and mitigation

Squid, a caching proxy for the Web, was found to be vulnerable to a Denial of Service (DoS) attack due to an Uncontrolled Recursion bug. The vulnerability affects versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5. This vulnerability was discovered by Joshua Rogers of Opera Software and was disclosed on December 14, 2023 (GitHub Advisory).

The vulnerability stems from an Uncontrolled Recursion bug in HTTP Request parsing, specifically when processing X-Forwarded-For headers with the follow_x_forwarded_for feature configured. The issue has been assigned CVE-2023-50269 with a CVSS v3.1 base score of 7.5 (High), indicating a network-accessible vulnerability requiring no privileges or user interaction to exploit (NVD).

When successfully exploited, this vulnerability allows a remote client to perform a Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. The attack can lead to exhaustion of the Squid process call stack (GitHub Advisory).

The vulnerability has been fixed in Squid version 6.6. For earlier versions, patches are available in the Squid patch archives. As a workaround, administrators can remove all follow_x_forwarded_for lines from squid.conf. The fix implements a limit on the number of allowed X-Forwarded-For hops to 64 addresses (GitHub Advisory).

Multiple Linux distributions have released security updates to address this vulnerability, including Debian with DLA-3709-1 and Fedora with updates for versions 38 and 39. NetApp has also issued an advisory (NTAP-20240119-0005) for their products that incorporate Squid (Debian LTS, Fedora, NetApp).