Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8. Reference: https://varnish-cache.org/security/VSV00007.html
Created varnish tracking bugs for this issue: Affects: epel-7 [bug 1982414] Affects: fedora-all [bug 1982412] Created varnish:6.0/varnish tracking bugs for this issue: Affects: fedora-all [bug 1982413]
Currently a request smuggling attack is possible when using Varnish and HTTP/2 support. An attacker can craft special POST requests leading to the smuggling, the smuggled requests won't be processed by any VCL rule on varnish side thus can successfully reach the backend server even it wasn't allowed to when done via a legit request. An attacker can leverage this to store the smuggled request response into Varnish cache, causing cache poisoning.
Upstream commit for this issue: https://github.com/varnishcache/varnish-cache/commit/d4c67d2a1a05304598895c24663c58a2e2932708
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 8.1 Extended Update Support Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2988 https://access.redhat.com/errata/RHSA-2021:2988
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-36740
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:2993 https://access.redhat.com/errata/RHSA-2021:2993