Headline
CVE-2022-23959: VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability — Varnish HTTP Cache
In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1 connections.
CVE-2022-23959
Date: 2022-01-25
A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.
Identifying smuggled requests¶
Smuggled requests will show in the logs generated by Varnish as normal requests. It may be possible to identify the smuggled requests by comparing the Varnish logs with logs from any proxy software between the Varnish server and the client.
Versions affected¶
Varnish Cache releases 1.x, 2.x, 3.x, 4.x, 5.x, 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x, 6.6.0, 6.6.1, 7.0.0, 7.0.1.
Varnish Cache 6.0 LTS series up to and including 6.0.9.
All versions of Varnish Cache 4.1 LTS series.
Versions not affected¶
Varnish Cache 6.6.2 (released 2022-01-25)
Varnish Cache 7.0.2 (released 2022-01-25)
Varnish Cache 6.0 LTS version 6.0.10 (released 2022-01-25)
GitHub Varnish Cache master branch at commit 1020be7e886399a4e94407ae0dfbfd1475cc5756
Mitigation¶
If upgrading Varnish is not possible, it is possible to mitigate the problem by ensuring that the Varnish Server does not allow connection reuse on HTTP/1 client connections once a request body has been seen on the connection. To deploy the workaround, put the following VCL configuration towards the top of the VCL configuration:
sub vsv8 { if ((req.http.Content-Length || req.http.Transfer-Encoding) && req.proto != “HTTP/2.0”) { set resp.http.Connection = "close"; } }
sub vcl_synth { call vsv8; } sub vcl_deliver { call vsv8; }
Credits¶
This problem was discovered and reported to us by James Kettle, Director of Research at PortSwigger. We wish to thank him for the responsible disclosure.
Related news
Threat actors can abuse weaknesses in HTTP request handling to launch damaging browser-based attacks on website users, researcher says.
Ubuntu Security Notice 5474-1 - It was dicovered that Varnish Cache did not clear a pointer between the handling of one client request and the next request within the same connection. A remote attacker could possibly use this issue to obtain sensitive information. It was discovered that Varnish Cache could have an assertion failure when a TLS termination proxy uses PROXY version 2. A remote attacker could possibly use this issue to restart the daemon and cause a performance loss.
Red Hat Security Advisory 2022-4745-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23959: varnish: HTTP/1 request smuggling vulnerability