SearchA request forgery attack can be performed on Varnish Cache and Varnish Cache Plus servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.
This problem was discovered and reported to us by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo. We wish to thank him for the responsible disclosure.
The potential impact is request forgery towards the backend.
The recommended solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted.
You should already have configured the Varnish Enterprise repository, so a normal upgrade will be enough:
$ sudo yum update varnish-plus
$ sudo systemctl restart varnish
Verify that the version that is installed is recent:
$ rpm -q varnish-plus
varnish-plus-6.0.10r3-1.el7.x86_64
You should already have configured the Varnish Enterprise repository, so a normal upgrade should be enough:
$ sudo apt-get update
$ sudo apt-get install --only-upgrade varnish-plus
$ sudo systemctl restart varnish
Verify that the version that is installed is recent:
$ dpkg -l varnish-plus
[...]
ii varnish-plus 6.0.10r3-1~xenial amd64 A supercharged version of the popular web cache, Varnish Cache
If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the vcl_recv
VCL function:
sub vcl_recv {
if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") {
return (synth(400));
}
}
This VCL statement would test if the VCL variables filled in from incoming HTTP/2 pseudo-headers contains any of the problematic characters, and answer with a 400 “Bad request” synthetic response if found.
2022-09-25
2022-09-26
2022-10-04
2022-11-08