Bug 1982409 (CVE-2021-36740) - CVE-2021-36740 varnish: HTTP/2 request smuggling attack via a large Content-Length header for a POST request
Summary: CVE-2021-36740 varnish: HTTP/2 request smuggling attack via a large Content-L...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-36740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1982412 1982413 1982414 1982858 1982859 1982860 1982861 1982862 1982863 1982864
Blocks: 1982416
TreeView+ depends on / blocked
 
Reported: 2021-07-14 19:11 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:30 UTC (History)
5 users (show)

Fixed In Version: varnish 6.6.1, varnish 6.5.2 , varnish 6.0.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Varnish. The Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. As a result, this flaw allows the information on the Varnish cache to be poisoned. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-02 19:06:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2995 0 None None None 2021-08-03 09:22:59 UTC
Red Hat Product Errata RHBA-2021:3000 0 None None None 2021-08-03 15:48:13 UTC
Red Hat Product Errata RHSA-2021:2988 0 None None None 2021-08-02 15:16:07 UTC
Red Hat Product Errata RHSA-2021:2993 0 None None None 2021-08-03 09:22:05 UTC

Description Guilherme de Almeida Suckevicz 2021-07-14 19:11:14 UTC
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.

Reference:
https://varnish-cache.org/security/VSV00007.html

Comment 1 Guilherme de Almeida Suckevicz 2021-07-14 19:13:01 UTC
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 1982414]
Affects: fedora-all [bug 1982412]


Created varnish:6.0/varnish tracking bugs for this issue:

Affects: fedora-all [bug 1982413]

Comment 5 Marco Benatto 2021-07-16 19:25:10 UTC
Currently a  request smuggling attack is possible when using Varnish and HTTP/2 support. An attacker can craft special POST requests leading to the smuggling, the smuggled requests won't be processed by any VCL rule on varnish side thus can successfully reach the backend server even it wasn't allowed to when done via a legit request. An attacker can leverage this to store the smuggled request response into Varnish cache, causing cache poisoning.

Comment 6 Marco Benatto 2021-07-16 19:29:25 UTC
Upstream commit for this issue:
https://github.com/varnishcache/varnish-cache/commit/d4c67d2a1a05304598895c24663c58a2e2932708

Comment 7 errata-xmlrpc 2021-08-02 15:16:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 8.1 Extended Update Support
  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2988 https://access.redhat.com/errata/RHSA-2021:2988

Comment 8 Product Security DevOps Team 2021-08-02 19:06:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-36740

Comment 9 errata-xmlrpc 2021-08-03 09:22:03 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2021:2993 https://access.redhat.com/errata/RHSA-2021:2993


Note You need to log in before you can comment on or make changes to this bug.