Varnish HTTP/1 Request Smuggling Security

A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache and Varnish Enterprise servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

This problem was discovered and reported to us by James Kettle, Director of Research at PortSwigger. We wish to thank him for the responsible disclosure.

Impact

The potential impact is information disclosure and cache poisoning.

Status

Affected software versions

• Varnish Enterprise 6.0 series up to and including 6.0.9r3.
• Varnish Enterprise 4.1 series up to and including 4.1.11r5.
• Varnish Cache 6.0 LTS series up to and including 6.0.9.
• All versions of Varnish Cache 4.1 LTS series.
• Varnish Cache releases 1.x, 2.x, 3.x, 4.x, 5.x, 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x, 6.6.0, 6.6.1, 7.0.0, 7.0.1.

Resolved in

• Varnish Enterprise 6.0.9r4 (released 2021-12-21)
• Varnish Enterprise 4.1.11r6 (released 2022-01-07)
• Varnish Cache 6.6.2 (released 2022-01-25)
• Varnish Cache 7.0.2 (released 2022-01-25)
• Varnish Cache 6.0 LTS version 6.0.10 (released 2022-01-25)

Solution

The recommended solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted.

Upgrading on RedHat and derivatives

You should already have configured the Varnish Enterprise repository, so a normal upgrade will be enough:

sudo yum update varnish-plus
sudo systemctl restart varnish

Verify that the version that is installed is recent:

rpm -q varnish-plus
varnish-plus-6.0.9r4-1.el7.x86_64

Upgrading on Ubuntu and Debian

You should already have configured the Varnish Enterprise repository, so a normal upgrade should be enough:

sudo apt-get update
sudo apt-get install --only-upgrade varnish-plus
sudo systemctl restart varnish

Verify that the version that is installed is recent:

dpkg -l varnish-plus
[...]
ii  varnish-plus                6.0.9r4-1~xenial   amd64              A supercharged version of the popular web cache, Varnish Cache

Workaround

If upgrading Varnish is not possible, it is possible to mitigate the problem by ensuring that the Varnish Server does not allow connection reuse on HTTP/1 client connections once a request body has been seen on the connection. To deploy the workaround, put the following VCL configuration towards the top of the VCL configuration::

sub vsv8 {
    if ((req.http.Content-Length || req.http.Transfer-Encoding) &&
      req.proto != "HTTP/2.0") {
        set resp.http.Connection = "close";
    }
}

sub vcl_synth { call vsv8; }
sub vcl_deliver { call vsv8; }

Identification

Smuggled requests will show in the logs generated by Varnish as normal requests. It may be possible to identify the smuggled requests by comparing the Varnish logs with logs from any proxy software between the Varnish server and the client.

Timeline

2021-12-17

• Independent security researcher contacts the Varnish Cache project about a potential problem.

2021-12-18

• Problem is confirmed, preliminary patch and test case developed.

2021-12-21

• Varnish Software released patched Varnish Enterprise version 6.0.9r4 to address the issue.

2022-01-07

• Varnish Software released patched Varnish Enterprise version 4.1.11r6 to address the issue.

2022-01-25

• Public disclosure and updated open source packages.

References

• CVE-2022-23959
• Varnish Cache VSV00008 announcement