On October 22, 2019, a new method of web cache poisoning, called CPDoS or Cache Poisoned Denial of Service, was announced by researchers, Hoai Viet Nguyen and Luigi Lo Iacono. Targeting content delivery networks and other caching systems, the attack works by using a malicious header in the HTTP request to cause an error message to be cached, rather than the intended content. The error page is subsequently served to users in place of the legitimate content.
Akamai is aware of the issue and evaluated the attack in advance of the public disclosure. We have determined that the default caching behavior used for error response is compliant with the relevant RFCs, and are not impacted by this attack. However, non-standard configurations may be implemented to allow for the caching of error messages and would therefore be vulnerable. Customers are strongly advised to review their individual configurations with the account teams to verify that customization has not rendered their site vulnerable.
Akamai is in the process of providing guidance for customers on specific configuration review steps. This vulnerability is similar in execution and impact to the Web Cache Deception Attack disclosed in March, 2017. Akamai would like to thank the researchers for their efforts and communication about this vulnerability.