Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1004433: CVE-2022-23959: VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability
281 views
Skip to first unread message
Andreas Unterkircher
Jan 27, 2022, 10:50:03 AM1/27/22
to
Package: varnish
Severity: normal
Hello!
There is a new vendor-announcement regarding a request smuggling attack
- this time affects HTTP/1 connections. It's apparently affecting all
versions >= Stretch.
https://varnish-cache.org/security/VSV00008.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
Best Regards,
Andreas
Severity: normal
Hello!
There is a new vendor-announcement regarding a request smuggling attack
- this time affects HTTP/1 connections. It's apparently affecting all
versions >= Stretch.
https://varnish-cache.org/security/VSV00008.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959
Best Regards,
Andreas
Andreas Unterkircher
Feb 9, 2022, 3:50:03 AM2/9/22
to
CVE-2022-23959 has meanwhile been rated as critical:
https://nvd.nist.gov/vuln/detail/CVE-2022-23959
Apparently it is rather easy to exploit:
http://cwe.mitre.org/data/definitions/444.html
Any ETA when a security-upgrade could become available?
Fixes for the vulnerability seem to be rather trivial:
https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
https://github.com/varnishcache/varnish-cache/commit/1020be7e886399a4e94407ae0dfbfd1475cc5756
Cheers,
Andreas
https://nvd.nist.gov/vuln/detail/CVE-2022-23959
Apparently it is rather easy to exploit:
http://cwe.mitre.org/data/definitions/444.html
Any ETA when a security-upgrade could become available?
Fixes for the vulnerability seem to be rather trivial:
https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
https://github.com/varnishcache/varnish-cache/commit/1020be7e886399a4e94407ae0dfbfd1475cc5756
Cheers,
Andreas
Andreas Unterkircher
Feb 23, 2022, 3:50:04 AM2/23/22
to
I know we (or most of us) are volunteers working on Debian. But I have
to admit I'm a bit worried that we haven't patched this critical
cache-poisoning vulnerability in Varnish for one month (except in Debian
Stretch LTS).
Attached patches containing the fixes for CVE-2022-23959.
For Debian Buster I took them from the Varnish 6.0 LTS branch:
https://github.com/varnishcache/varnish-cache/commit/dcbe8b9ebf5b352e2534fc5645afa1d9747e9647
https://github.com/varnishcache/varnish-cache/commit/b8351f7f6231315f0fe00410b91893235eb29f57
For Debian Bullseye from the Varnish 6.6 branch:
https://github.com/varnishcache/varnish-cache/commit/9ed39d1f796369caafb647fe37b729c07f332327
https://github.com/varnishcache/varnish-cache/commit/ec531e16b9cd139bbf8971c5b306561c669681f4
Cheers,
Andreas
to admit I'm a bit worried that we haven't patched this critical
cache-poisoning vulnerability in Varnish for one month (except in Debian
Stretch LTS).
Attached patches containing the fixes for CVE-2022-23959.
For Debian Buster I took them from the Varnish 6.0 LTS branch:
https://github.com/varnishcache/varnish-cache/commit/dcbe8b9ebf5b352e2534fc5645afa1d9747e9647
https://github.com/varnishcache/varnish-cache/commit/b8351f7f6231315f0fe00410b91893235eb29f57
For Debian Bullseye from the Varnish 6.6 branch:
https://github.com/varnishcache/varnish-cache/commit/9ed39d1f796369caafb647fe37b729c07f332327
https://github.com/varnishcache/varnish-cache/commit/ec531e16b9cd139bbf8971c5b306561c669681f4
Cheers,
Andreas
Salvatore Bonaccorso
Feb 23, 2022, 4:10:04 AM2/23/22
to
Hi,
Those updates were already prepared by Florian Weimer, but we need
someone using it to actually test the updates as it includes other CVE
fixes (namely CVE-2021-36740). If you are interested to test (yet
unofficial) debs, let us know, this might speed up a bit the DSA
release ;-)
Regards,
Salvatore
someone using it to actually test the updates as it includes other CVE
fixes (namely CVE-2021-36740). If you are interested to test (yet
unofficial) debs, let us know, this might speed up a bit the DSA
release ;-)
Regards,
Salvatore
Andreas Unterkircher
Feb 23, 2022, 5:30:03 AM2/23/22
to
Hello Salvatore!
> Those updates were already prepared by Florian Weimer, but we need
> someone using it to actually test the updates as it includes other CVE
> fixes (namely CVE-2021-36740). If you are interested to test (yet
> unofficial) debs, let us know, this might speed up a bit the DSA
> release ;-)
I'm not sure how to exploit this two flaws - so I probably can't verify
if the updates by Florian are then ultimately fixing the
security-issues. But I can verify that the updated software-packages
would basically work on some real-life systems. If that would already
help you - feel free to share :)
Regards,
Andreas
> Those updates were already prepared by Florian Weimer, but we need
> someone using it to actually test the updates as it includes other CVE
> fixes (namely CVE-2021-36740). If you are interested to test (yet
> unofficial) debs, let us know, this might speed up a bit the DSA
> release ;-)
if the updates by Florian are then ultimately fixing the
security-issues. But I can verify that the updated software-packages
would basically work on some real-life systems. If that would already
help you - feel free to share :)
Regards,
Andreas
Salvatore Bonaccorso
Feb 25, 2022, 3:10:04 AM2/25/22
to
Hi Andreas,
Sorry for the delay, busy yesterday.
thank you!
Unofficial and amd64 only builds (including the source in case you
want to built it on your own) are at:
https://people.debian.org/~carnil/tmp/varnish/
Would be great if you can test the packages in production, even if not
explicitly for the two CVEs so we can get some more confidence.
Regards,
Salvatore
Sorry for the delay, busy yesterday.
Unofficial and amd64 only builds (including the source in case you
want to built it on your own) are at:
https://people.debian.org/~carnil/tmp/varnish/
Would be great if you can test the packages in production, even if not
explicitly for the two CVEs so we can get some more confidence.
Regards,
Salvatore
Andreas Unterkircher
Feb 25, 2022, 11:50:03 AM2/25/22
to
Hello Salvatore!
> Unofficial and amd64 only builds (including the source in case you
> want to built it on your own) are at:
>
> https://people.debian.org/~carnil/tmp/varnish/
I've installed v6.1.1 packages on several of our Buster servers.
Apparently all the websites and portals hosted there are feeling well. I
tested access with HTTP2 as well as HTTP 1.1 only. Also continuously
firing 100 req/sec with locust against this patched Varnish works fine.
Shall I test the packages on Bullseye too (could do that on Monday), or
is Buster already enough?
Cheers,
Andreas
> Unofficial and amd64 only builds (including the source in case you
> want to built it on your own) are at:
>
> https://people.debian.org/~carnil/tmp/varnish/
Apparently all the websites and portals hosted there are feeling well. I
tested access with HTTP2 as well as HTTP 1.1 only. Also continuously
firing 100 req/sec with locust against this patched Varnish works fine.
Shall I test the packages on Bullseye too (could do that on Monday), or
is Buster already enough?
Cheers,
Andreas
Florian Weimer
Feb 25, 2022, 4:20:04 PM2/25/22
to
* Andreas Unterkircher:
It appreciate if you could test bullseye as well. Thanks!
Andreas Unterkircher
Feb 28, 2022, 3:10:03 AM2/28/22
to
> It appreciate if you could test bullseye as well. Thanks!
Have updated a server with Buster (on which I've tested Varnish
v6.1.1-1+deb10u3 before) to Bullseye and upgraded Varnish to
6.5.1-1+deb11u2.
The results are pretty much the same as with Buster.
The hosted pages work correctly with HTTP 1.1 trough Varnish.
The same for HTTP2.
Locust against Varnish with 100 req/sec gives stable results for 10min
testing.
user@host:~$ sudo varnishd -V
varnishd (varnish-6.5.1 revision
1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2020 Varnish Software
user@host:~$ sudo varnishstat -n $(hostname) -1
MGT.uptime 1054 1.00 Management process uptime
MGT.child_start 1 0.00 Child process started
MGT.child_exit 0 0.00 Child process normal exit
MGT.child_stop 0 0.00 Child process unexpected
exit
MGT.child_died 0 0.00 Child process died (signal)
MGT.child_dump 0 0.00 Child process core dumped
MGT.child_panic 0 0.00 Child process panic
MAIN.summs 74450 70.57 stat summ operations
MAIN.uptime 1055 1.00 Child process uptime
MAIN.sess_conn 25393 24.07 Sessions accepted
MAIN.sess_fail 0 0.00 Session accept failures
MAIN.sess_fail_econnaborted 0 0.00 Session accept
failures: connection aborted
MAIN.sess_fail_eintr 0 0.00 Session accept
failures: interrupted system call
MAIN.sess_fail_emfile 0 0.00 Session accept
failures: too many open files
MAIN.sess_fail_ebadf 0 0.00 Session accept
failures: bad file descriptor
MAIN.sess_fail_enomem 0 0.00 Session accept
failures: not enough memory
MAIN.sess_fail_other 0 0.00 Session accept
failures: other
MAIN.client_req_400 0 0.00 Client requests
received, subject to 400 errors
MAIN.client_req_417 0 0.00 Client requests
received, subject to 417 errors
MAIN.client_req 35030 33.20 Good client
requests received
MAIN.cache_hit 33703 31.95 Cache hits
Cheers,
Andreas
Salvatore Bonaccorso
Mar 3, 2022, 1:40:03 AM3/3/22
to
Hi Andreas,
Thanks a lot for your testing, this is very much appreciated!
Florian, should we go ahead with the DSA release?
Regards,
Salvatore
Florian, should we go ahead with the DSA release?
Regards,
Salvatore
Florian Weimer
Mar 3, 2022, 8:40:03 AM3/3/22
to
* Salvatore Bonaccorso:
> Thanks a lot for your testing, this is very much appreciated!
>
> Florian, should we go ahead with the DSA release?
We should, I'll look into it this evening. Thanks for all the
testing!
> Thanks a lot for your testing, this is very much appreciated!
>
> Florian, should we go ahead with the DSA release?
testing!
0 new messages