urlscan.io logo urlscan.io
SecurityTrails logo

docs.varnish-software.com Open in urlscan Pro
2604:a880:cad:d0::bdb:5001  Public Scan

Back to summary
URL: https://docs.varnish-software.com/security/VSV00008/
Submission: On February 14 via manual from GB — Scanned from GB

Form analysis 0 forms found in the DOM

Text Content

Search

--------------------------------------------------------------------------------


VARNISH HTTP/1 REQUEST SMUGGLING SECURITY

 * Impact
 * Status
   * Affected software versions
   * Resolved in
 * Solution
   * Upgrading on RedHat and derivatives
   * Upgrading on Ubuntu and Debian
 * Workaround
 * Identification
 * Timeline
 * References

Published January 25, 2022.

A request smuggling attack can be performed on HTTP/1 connections on Varnish
Cache and Varnish Cache Plus servers. The smuggled request would be treated as
an additional request by the Varnish server, go through normal VCL processing,
and injected as a spurious response on the client connection.

This problem was discovered and reported to us by James Kettle, Director of
Research at PortSwigger. We wish to thank him for the responsible disclosure.


IMPACT

The potential impact is information disclosure and cache poisoning.


STATUS


AFFECTED SOFTWARE VERSIONS

 * Varnish Cache Plus 6.0 series up to and including 6.0.9r3.
 * Varnish Cache Plus 4.1 series up to and including 4.1.11r5.
 * Varnish Cache 6.0 LTS series up to and including 6.0.9.
 * All versions of Varnish Cache 4.1 LTS series.
 * Varnish Cache releases 1.x, 2.x, 3.x, 4.x, 5.x, 6.0.x, 6.1.x, 6.2.x, 6.3.x,
   6.4.x, 6.5.x, 6.6.0, 6.6.1, 7.0.0, 7.0.1.


RESOLVED IN

 * Varnish Cache Plus 6.0.9r4 (released 2021-12-21)
 * Varnish Cache Plus 4.1.11r6 (released 2022-01-07)
 * Varnish Cache 6.6.2 (released 2022-01-25)
 * Varnish Cache 7.0.2 (released 2022-01-25)
 * Varnish Cache 6.0 LTS version 6.0.10 (released 2022-01-25)


SOLUTION

The recommended solution is to upgrade Varnish to one of the versions where this
issue has been resolved, and then ensure that Varnish is restarted.


UPGRADING ON REDHAT AND DERIVATIVES

You should already have configured the Varnish Cache Plus repository, so a
normal upgrade will be enough:

sudo yum update varnish-plus
sudo systemctl restart varnish


Verify that the version that is installed is recent:

rpm -q varnish-plus
varnish-plus-6.0.9r4-1.el7.x86_64



UPGRADING ON UBUNTU AND DEBIAN

You should already have configured the Varnish Cache Plus repository, so a
normal upgrade should be enough:

sudo apt-get update
sudo apt-get install --only-upgrade varnish-plus
sudo systemctl restart varnish


Verify that the version that is installed is recent:

dpkg -l varnish-plus
[...]
ii  varnish-plus                6.0.9r4-1~xenial   amd64              A supercharged version of the popular web cache, Varnish Cache



WORKAROUND

If upgrading Varnish is not possible, it is possible to mitigate the problem by
ensuring that the Varnish Server does not allow connection reuse on HTTP/1
client connections once a request body has been seen on the connection. To
deploy the workaround, put the following VCL configuration towards the top of
the VCL configuration::

sub vsv8 {
    if ((req.http.Content-Length || req.http.Transfer-Encoding) &&
      req.proto != "HTTP/2.0") {
        set resp.http.Connection = "close";
    }
}

sub vcl_synth { call vsv8; }
sub vcl_deliver { call vsv8; }



IDENTIFICATION

Smuggled requests will show in the logs generated by Varnish as normal requests.
It may be possible to identify the smuggled requests by comparing the Varnish
logs with logs from any proxy software between the Varnish server and the
client.


TIMELINE

2021-12-17

 * Independent security researcher contacts the Varnish Cache project about a
   potential problem.

2021-12-18

 * Problem is confirmed, preliminary patch and test case developed.

2021-12-21

 * Varnish Software released patched Varnish Cache Plus version 6.0.9r4 to
   address the issue.
   

2022-01-07

 * Varnish Software released patched Varnish Cache Plus version 4.1.11r6 to
   address the issue.

2022-01-25

 * Public disclosure and updated open source packages.


REFERENCES

 * CVE-2022-23959
 * Varnish Cache VSV00008 announcement

--------------------------------------------------------------------------------

Manuals
Varnish Live
Varnish Cloud
Varnish Cache Plus
Varnish High Availability
Varnish Controller
Varnish Custom Statistics
Varnish Broadcaster
Varnish WAF
Varnish Administration Console

News
Varnish HTTP/1 Request Smuggling
Varnish Cache Plus 4.1.11r7
Varnish Cache Plus 4.1.11r6
Varnish Administration Console 3.9.3
Varnish Cache Plus 6.0.9r4 and Web Application Firewall 1.1.0
News archive