Bug 1982409 (CVE-2021-36740)
Summary: | CVE-2021-36740 varnish: HTTP/2 request smuggling attack via a large Content-Length header for a POST request | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | hhorak, ingvar, jorton, luhliari, pgnet.dev |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | varnish 6.6.1, varnish 6.5.2 , varnish 6.0.8 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Varnish. The Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. As a result, this flaw allows the information on the Varnish cache to be poisoned. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-02 19:06:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1982412, 1982413, 1982414, 1982858, 1982859, 1982860, 1982861, 1982862, 1982863, 1982864 | ||
Bug Blocks: | 1982416 |
Description
Guilherme de Almeida Suckevicz
2021-07-14 19:11:14 UTC
Created varnish tracking bugs for this issue: Affects: epel-7 [bug 1982414] Affects: fedora-all [bug 1982412] Created varnish:6.0/varnish tracking bugs for this issue: Affects: fedora-all [bug 1982413] Currently a request smuggling attack is possible when using Varnish and HTTP/2 support. An attacker can craft special POST requests leading to the smuggling, the smuggled requests won't be processed by any VCL rule on varnish side thus can successfully reach the backend server even it wasn't allowed to when done via a legit request. An attacker can leverage this to store the smuggled request response into Varnish cache, causing cache poisoning. Upstream commit for this issue: https://github.com/varnishcache/varnish-cache/commit/d4c67d2a1a05304598895c24663c58a2e2932708 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 8.1 Extended Update Support Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2988 https://access.redhat.com/errata/RHSA-2021:2988 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-36740 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:2993 https://access.redhat.com/errata/RHSA-2021:2993 |