VSV00011 Varnish HTTP/2 Request Forgery Vulnerability

Martin Blix Grydeland martin at varnish-software.com
Tue Nov 8 10:18:05 UTC 2022

VSV00011 Varnish HTTP/2 Request Forgery Vulnerability

Date: 2022-11-08

A request forgery attack can be performed on Varnish Cache servers that
have the HTTP/2 protocol turned on. An attacker may introduce characters
through the HTTP/2 pseudo-headers that are invalid in the context of an
HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1
requests to the backend. This may in turn be used to successfully exploit
vulnerabilities in a server behind the Varnish server.

Versions affected

* Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0.

* Varnish Cache 6.0 LTS series up to and including 6.0.10.

* Varnish Cache Plus by Varnish Software 6.0.x up to and including 6.0.10r2.

Versions not affected

* Varnish Cache 7.1.2 (released 2022-11-08)

* Varnish Cache 7.2.1 (released 2022-11-08)

* GitHub Varnish Cache master branch at commit

* Varnish Cache Plus by Varnish Software version 6.0.10r3.


If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the `vcl_recv`
VCL function::

  sub vcl_recv {
      if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") {
          return (synth(400));

This VCL statement would test if the VCL variables filled in from incoming
HTTP/2 pseudo-headers contains any of the problematic characters, and
answer with a 400 "Bad request" synthetic response if found.


This problem was discovered and reported to us by Martin van Kervel
Smedshammer, Graduate Student at the University of Oslo. We wish to thank
him for the responsible disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-announce/attachments/20221108/8eac25c2/attachment.html>

More information about the varnish-announce mailing list