VSV00011 Varnish HTTP/2 Request Forgery Vulnerability
Martin Blix Grydeland
martin at varnish-software.com
Tue Nov 8 10:18:05 UTC 2022
VSV00011 Varnish HTTP/2 Request Forgery Vulnerability
=====================================================
Date: 2022-11-08
A request forgery attack can be performed on Varnish Cache servers that
have the HTTP/2 protocol turned on. An attacker may introduce characters
through the HTTP/2 pseudo-headers that are invalid in the context of an
HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1
requests to the backend. This may in turn be used to successfully exploit
vulnerabilities in a server behind the Varnish server.
Versions affected
-----------------
* Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0.
* Varnish Cache 6.0 LTS series up to and including 6.0.10.
* Varnish Cache Plus by Varnish Software 6.0.x up to and including 6.0.10r2.
Versions not affected
---------------------
* Varnish Cache 7.1.2 (released 2022-11-08)
* Varnish Cache 7.2.1 (released 2022-11-08)
* GitHub Varnish Cache master branch at commit
687ffb6452ba570778a83b6eb1df8ac1b31d9221
* Varnish Cache Plus by Varnish Software version 6.0.10r3.
Mitigation
----------
If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the `vcl_recv`
VCL function::
sub vcl_recv {
if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") {
return (synth(400));
}
}
This VCL statement would test if the VCL variables filled in from incoming
HTTP/2 pseudo-headers contains any of the problematic characters, and
answer with a 400 "Bad request" synthetic response if found.
Credits
-------
This problem was discovered and reported to us by Martin van Kervel
Smedshammer, Graduate Student at the University of Oslo. We wish to thank
him for the responsible disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-announce/attachments/20221108/8eac25c2/attachment.html>
More information about the varnish-announce
mailing list