Bug 2045031 (CVE-2022-23959)

Summary: CVE-2022-23959 varnish: HTTP/1 request smuggling vulnerability
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hello, hhorak, ingvar, jorton, luhliari, pgnet.dev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Varnish. This flaw allows an attacker to carry out a request smuggling attack on HTTP/1 connections on Varnish cache servers. This smuggled request goes through the usual Varnish Configuration Language (VCL) processing since the Varnish server treats it as an additional request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-03 13:13:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2045032, 2045033, 2045034, 2047643, 2047645, 2047646, 2047647, 2047648, 2047650, 2081576, 2081577    
Bug Blocks: 2045035    

Description Pedro Sampaio 2022-01-25 13:34:45 UTC 
A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

References:

https://varnish-cache.org/security/VSV00008.html#vsv00008
Comment 1 Pedro Sampaio 2022-01-25 13:35:15 UTC 
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 2045034]
Affects: fedora-all [bug 2045033]


Created varnish:6.0/varnish tracking bugs for this issue:

Affects: fedora-all [bug 2045032]
Comment 5 errata-xmlrpc 2022-02-03 09:55:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0418 https://access.redhat.com/errata/RHSA-2022:0418
Comment 6 errata-xmlrpc 2022-02-03 11:59:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0420 https://access.redhat.com/errata/RHSA-2022:0420
Comment 7 errata-xmlrpc 2022-02-03 12:08:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0421 https://access.redhat.com/errata/RHSA-2022:0421
Comment 8 errata-xmlrpc 2022-02-03 12:14:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0422 https://access.redhat.com/errata/RHSA-2022:0422
Comment 9 Product Security DevOps Team 2022-02-03 13:13:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23959
Comment 11 errata-xmlrpc 2022-05-25 08:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4745 https://access.redhat.com/errata/RHSA-2022:4745