Bug 2117692 (CVE-2022-38150)

Summary: CVE-2022-38150 varnish: denial of service via colon-starting reason phrase
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dridi.boukelmoune, hhorak, ingvar, jorton, luhliari, pgnet.dev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: varnish 7.0.3, varnish 7.1.1 Doc Type: ---
Doc Text:
A flaw was found in Varnish where a denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. To execute an attack, the attacker needs the ability to influence the HTTP/1 responses that the Varnish Server receives from its configured backends, causing the Varnish Server to assert and automatically restart.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-01 23:55:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2118570, 2118571, 2118572, 2118573, 2118574    
Bug Blocks: 2116814    

Description Mauro Matteo Cascella 2022-08-11 15:58:24 UTC 
A denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. In order to execute an attack, the attacker would have to be able to influence the HTTP/1 responses that the Varnish Server receives from its configured backends. A successful attack would cause the Varnish Server to assert and automatically restart.

Security advisory:
https://varnish-cache.org/security/VSV00009.html

Upstream issue & fix:
https://github.com/varnishcache/varnish-cache/issues/3830
https://github.com/varnishcache/varnish-cache/commit/c5fd097e5cce8b461c6443af02b3448baef2491d
Comment 1 Sandipan Roy 2022-08-16 07:37:01 UTC 
Created varnish tracking bugs for this issue:

Affects: epel-all [bug 2118571]
Affects: fedora-all [bug 2118570]


Created varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 2118572]


Created varnish:6.0/varnish tracking bugs for this issue:

Affects: fedora-all [bug 2118573]


Created varnish:6.0/varnish-modules tracking bugs for this issue:

Affects: fedora-all [bug 2118574]
Comment 2 Fedora Update System 2022-08-22 01:10:30 UTC 
FEDORA-2022-1fa6d1ed2f has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Product Security DevOps Team 2022-09-01 23:55:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-38150