Bug 1982409 (CVE-2021-36740)

Summary: CVE-2021-36740 varnish: HTTP/2 request smuggling attack via a large Content-Length header for a POST request
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hhorak, ingvar, jorton, luhliari, pgnet.dev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: varnish 6.6.1, varnish 6.5.2 , varnish 6.0.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Varnish. The Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. As a result, this flaw allows the information on the Varnish cache to be poisoned. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-02 19:06:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1982412, 1982413, 1982414, 1982858, 1982859, 1982860, 1982861, 1982862, 1982863, 1982864    
Bug Blocks: 1982416    

Description Guilherme de Almeida Suckevicz 2021-07-14 19:11:14 UTC 
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.

Reference:
https://varnish-cache.org/security/VSV00007.html
Comment 1 Guilherme de Almeida Suckevicz 2021-07-14 19:13:01 UTC 
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 1982414]
Affects: fedora-all [bug 1982412]


Created varnish:6.0/varnish tracking bugs for this issue:

Affects: fedora-all [bug 1982413]
Comment 5 Marco Benatto 2021-07-16 19:25:10 UTC 
Currently a  request smuggling attack is possible when using Varnish and HTTP/2 support. An attacker can craft special POST requests leading to the smuggling, the smuggled requests won't be processed by any VCL rule on varnish side thus can successfully reach the backend server even it wasn't allowed to when done via a legit request. An attacker can leverage this to store the smuggled request response into Varnish cache, causing cache poisoning.
Comment 6 Marco Benatto 2021-07-16 19:29:25 UTC 
Upstream commit for this issue:
https://github.com/varnishcache/varnish-cache/commit/d4c67d2a1a05304598895c24663c58a2e2932708
Comment 7 errata-xmlrpc 2021-08-02 15:16:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 8.1 Extended Update Support
  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2988 https://access.redhat.com/errata/RHSA-2021:2988
Comment 8 Product Security DevOps Team 2021-08-02 19:06:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-36740
Comment 9 errata-xmlrpc 2021-08-03 09:22:03 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2021:2993 https://access.redhat.com/errata/RHSA-2021:2993