Headline
RHSA-2022:8644: Red Hat Security Advisory: varnish security update
An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-45060: varnish: Request Forgery Vulnerability
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-28
Updated:
2022-11-28
RHSA-2022:8644 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: varnish security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don’t have to create the same web page over and over again, giving the website a significant speed up.
Security Fix(es):
- varnish: Request Forgery Vulnerability (CVE-2022-45060)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
- Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.0 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.0 ppc64le
- Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.0 s390x
- Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.0 aarch64
- Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0 aarch64
- Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0 s390x
Fixes
- BZ - 2141844 - CVE-2022-45060 varnish: Request Forgery Vulnerability
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
x86_64
varnish-6.6.2-2.el9_0.1.i686.rpm
SHA-256: 6c62e3e38e45b97ccee34689f0d4d53d83e322dda75d362387878da96d8680b6
varnish-6.6.2-2.el9_0.1.x86_64.rpm
SHA-256: f0dcf4cd84133c4d8863249029fcdf2ac2f93318afb54f0dcdfb7841bfc44fed
varnish-docs-6.6.2-2.el9_0.1.x86_64.rpm
SHA-256: 862e7ec6d42c5e426402b7b5c0ef726cd539be47113581a8d29d6cc735f7a477
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
s390x
varnish-6.6.2-2.el9_0.1.s390x.rpm
SHA-256: e3cd7823478628108edb2b8300b66a9bcff4b3ec5cd519dd096672ec7bcbdd90
varnish-docs-6.6.2-2.el9_0.1.s390x.rpm
SHA-256: ccf3c28a5c4cc112a45cd4f4b7da334cef68629caa52b02e9e22693ebfcf18d6
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
ppc64le
varnish-6.6.2-2.el9_0.1.ppc64le.rpm
SHA-256: 4eb35a1323f8490575a84af6af7c24121a98c484d071413819cf4cdbf23dd4f1
varnish-docs-6.6.2-2.el9_0.1.ppc64le.rpm
SHA-256: 8dba4cd941452593a62776d7803a92d9b47e40e72e03d9858954ef20d1345d1d
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
aarch64
varnish-6.6.2-2.el9_0.1.aarch64.rpm
SHA-256: 12c3ec799b15c7e8d514235719d15e398da54e4e1d23393fafd6f0985c3553f8
varnish-docs-6.6.2-2.el9_0.1.aarch64.rpm
SHA-256: a871d83027b0aa24c90e7a99f6040ce62eea19303569b4e21f77553f9dadbdba
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
ppc64le
varnish-6.6.2-2.el9_0.1.ppc64le.rpm
SHA-256: 4eb35a1323f8490575a84af6af7c24121a98c484d071413819cf4cdbf23dd4f1
varnish-docs-6.6.2-2.el9_0.1.ppc64le.rpm
SHA-256: 8dba4cd941452593a62776d7803a92d9b47e40e72e03d9858954ef20d1345d1d
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
x86_64
varnish-6.6.2-2.el9_0.1.i686.rpm
SHA-256: 6c62e3e38e45b97ccee34689f0d4d53d83e322dda75d362387878da96d8680b6
varnish-6.6.2-2.el9_0.1.x86_64.rpm
SHA-256: f0dcf4cd84133c4d8863249029fcdf2ac2f93318afb54f0dcdfb7841bfc44fed
varnish-docs-6.6.2-2.el9_0.1.x86_64.rpm
SHA-256: 862e7ec6d42c5e426402b7b5c0ef726cd539be47113581a8d29d6cc735f7a477
Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.0
SRPM
x86_64
varnish-devel-6.6.2-2.el9_0.1.i686.rpm
SHA-256: 75a8661aecabc3ec9fe7963ef78c98c54361da4f44cafacd8ad4236f656527b0
varnish-devel-6.6.2-2.el9_0.1.x86_64.rpm
SHA-256: e5aa68890183402a5be70a6f8de9274736df155530fc496fb028d0a78e3d2b82
Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.0
SRPM
ppc64le
varnish-devel-6.6.2-2.el9_0.1.ppc64le.rpm
SHA-256: 49a67b3b72306de52427aa0317d1a7eada3e1bff685a58c084430e4b3fff0275
Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.0
SRPM
s390x
varnish-devel-6.6.2-2.el9_0.1.s390x.rpm
SHA-256: 62e692b860a9e52715fca4df122bb8a1e18ef05b26f68af00d1cdec0241f2f4e
Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.0
SRPM
aarch64
varnish-devel-6.6.2-2.el9_0.1.aarch64.rpm
SHA-256: b16348190e349131d61daab1f3dc7893d403457389f747451c3fcc652ed91368
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
aarch64
varnish-6.6.2-2.el9_0.1.aarch64.rpm
SHA-256: 12c3ec799b15c7e8d514235719d15e398da54e4e1d23393fafd6f0985c3553f8
varnish-docs-6.6.2-2.el9_0.1.aarch64.rpm
SHA-256: a871d83027b0aa24c90e7a99f6040ce62eea19303569b4e21f77553f9dadbdba
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0
SRPM
varnish-6.6.2-2.el9_0.1.src.rpm
SHA-256: 26b563b20e0364068f408e2c66c17714453d3c9a6a0478e30234b25b97c18946
s390x
varnish-6.6.2-2.el9_0.1.s390x.rpm
SHA-256: e3cd7823478628108edb2b8300b66a9bcff4b3ec5cd519dd096672ec7bcbdd90
varnish-docs-6.6.2-2.el9_0.1.s390x.rpm
SHA-256: ccf3c28a5c4cc112a45cd4f4b7da334cef68629caa52b02e9e22693ebfcf18d6
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: An HTTP Request Forgery issue was discovered in Varnish Cache. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could be used to exploit vulnerabilities in a server behind t...
Red Hat Security Advisory 2022-8643-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-8646-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-8649-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-8650-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-8644-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-8647-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
Red Hat Security Advisory 2022-8645-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: varnish: Request Forgery Vulnerability
An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: varnish: Request Forgery Vulnerability
An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: varnish: Request Forgery Vulnerability
An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: varnish: Request Forgery Vulnerability
An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: varnish: Request Forgery Vulnerability
An update for varnish is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45060: varnish: Request Forgery Vulnerability
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.