From dridi at varni.sh Thu Jul 8 05:28:31 2021 From: dridi at varni.sh (Dridi Boukelmoune) Date: Thu, 8 Jul 2021 05:28:31 +0000 Subject: Migration to PCRE2 Message-ID: We just completed a migration of our regular expression engine from PCRE to PCRE2. https://github.com/varnishcache/varnish-cache/pull/3635 There may be subtle differences that we would be eager to learn about. We discovered for example that PCRE2 will reject unknown escape sequences like "\T" whereas PCRE would interpret it as "T". There might be an option flag to loosen this rule but we decided to stick to the strict behavior. We generally expect that potential breaking changes in the regular expression syntax should be minor and trivial to correct. If you wish to test this change scheduled for the next biannual release in September, it is available in the git master branch. Linux users may also find prebuilt weekly packages at the usual address. https://packagecloud.io/varnishcache/varnish-weekly -- Dridi From martin at varnish-software.com Tue Jul 13 10:18:50 2021 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Tue, 13 Jul 2021 12:18:50 +0200 Subject: VSV00007 Varnish HTTP/2 Request Smuggling Attack Message-ID: VSV00007 Varnish HTTP/2 Request Smuggling Attack ================================================ Date: 2021-07-13 A request smuggling attack can be performed on Varnish Cache and Varnish Cache Plus servers that have the HTTP/2 protocol enabled. The smuggled requests do not go through normal VCL processing, and any authorisation steps implemented in VCL would be bypassed. The responses to the smuggled requests can under some circumstances also be obtained by the attacker. Also, it may be possible for an attacker to use this for cache poisoning, where the response to a smuggled request is inserted as the cached content. Identifying smuggled requests ----------------------------- Smuggled requests will not show in any logs generated by Varnish, but would show in the backend logs. It may be possible to identify the smuggled requests in the backend logs by missing Varnish inserted artifacts, like the `X-Varnish` header. Though a determined attacker may spoof these artifacts in the smuggled requests. Versions affected ----------------- * Varnish Cache releases 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.3.0, 6.3.1, 6.3.2, 6.4.0, 6.5.0, 6.5.1, 6.6.0. * Varnish Cache releases 5.x.x. Notice that the experimental HTTP/2 support in these releases are known to have several issues, and enabling HTTP/2 is not recommended. * Varnish Cache 6.0 LTS by Varnish Software up to and including 6.0.7 Versions not affected --------------------- * All versions of Varnish Cache prior to version 5.0.0 Fixed in -------- * Varnish Cache 6.6.1 * Varnish Cache 6.5.2 * Varnish Cache 6.0 LTS version 6.0.8 * GitHub Varnish Cache master branch at commit 450961a019d1c1955ca1851d51940ff2c87bdc98 Mitigation ---------- Mitigation is possible by either disabling the HTTP/2 protocol, or preventing backend connection reuse. Turning off support for HTTP/2: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The problem only affects servers that have HTTP/2 support enabled. This support can be turned off at runtime. To disable HTTP/2 on a server do:: sudo varnishadm param.set feature -http2 To verify that HTTP/2 is disabled on a server, execute this command and make sure the current value does not list `http2`:: sudo varnishadm param.show feature When using Hitch (or any other TLS termination proxy) in front of Varnish to handle TLS termination, you should also unlist the `h2` token as a possible protocol in the ALPN advertisement sent to connecting clients. To unlist `h2` as a supported protocol in Hitch, remove or comment out the line stating `alpn-protos = "h2, http/1.1"` in your Hitch configuration file. Then restart the Hitch service (reload is not sufficient). Preventing connection reuse ~~~~~~~~~~~~~~~~~~~~~~~~~~~ On compliant backends it is possible to prevent the execution of smuggled requests by disabling connection reuse of backend requests. Note that for this workaround to be effective, it relies on the backend to refuse any additional requests after seeing a `Connection: close` header. To disable backend connection reuse, add a `Connection: close` header on the outgoing backend requests:: sub vcl_backend_fetch { set bereq.http.Connection = "close"; } Credits ------- Martin Blix Grydeland at Varnish Software for identifying and handling the issue. -------------- next part -------------- An HTML attachment was scrubbed... URL: