CVE-2022-23959
📋 TL;DR
This CVE describes an HTTP request smuggling vulnerability in Varnish Cache and Varnish Enterprise. Attackers can exploit this to bypass security controls, poison caches, or hijack user sessions. Organizations using affected versions of Varnish as HTTP reverse proxies are vulnerable.
💻 Affected Systems
- Varnish Cache
- Varnish Enterprise (Cache Plus)
📦 What is this software?
Fedora by Fedoraproject
Varnich Cache by Varnish Software
Varnich Cache by Varnish Software
Varnich Cache by Varnish Software
Varnish Cache by Varnish Software
Varnish Cache by Varnish Cache Project
Varnish Cache Plus by Varnish Software
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison caches with malicious content, hijack user sessions, bypass authentication, or perform web cache poisoning attacks affecting all downstream users.
Likely Case
Cache poisoning leading to users receiving malicious content, session hijacking, or bypassing security controls like WAFs and authentication mechanisms.
If Mitigated
Limited impact if Varnish is behind additional security layers or not exposed to untrusted traffic, though risk remains for cache poisoning.
🎯 Exploit Status
Exploitation requires understanding of HTTP request smuggling techniques but tools exist. Attackers need to send specially crafted HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varnish Cache: 6.6.2, 7.0.2, 6.0.10; Varnish Enterprise: 4.1.11r6, 6.0.9r4
Vendor Advisory: https://varnish-cache.org/security/VSV00008.html
Restart Required: Yes
Instructions:
1. Check current Varnish version. 2. Download and install patched version from official repositories. 3. Restart Varnish service. 4. Verify version is updated.
🔧 Temporary Workarounds
Disable HTTP/1 pipelining
linuxConfigure Varnish to disable HTTP/1 pipelining which reduces request smuggling opportunities
varnishadm param.set feature +http1_pipeline 0
Use HTTP/2 or HTTP/3
allConfigure backend connections to use HTTP/2 or HTTP/3 protocols which are not vulnerable
🧯 If You Can't Patch
- Implement WAF rules to detect and block HTTP request smuggling attempts
- Place Varnish behind additional reverse proxies with request validation
🔍 How to Verify
Check if Vulnerable:
Check Varnish version with 'varnishd -V' and compare against affected versionsCheck Version:
varnishd -V 2>&1 | grep -i varnishVerify Fix Applied:
Verify version shows patched version after update and restart📡 Detection & Monitoring
Log Indicators:
- Multiple requests from single connection with unusual timing
- Requests with conflicting Content-Length and Transfer-Encoding headers
- Unexpected cache hits/misses patterns
Network Indicators:
- HTTP requests with both Content-Length and Transfer-Encoding headers
- Requests that appear to be two requests in one TCP connection
SIEM Query:
source="varnish" AND ("Content-Length" AND "Transfer-Encoding") OR "pipeline"🔗 References
- https://docs.varnish-software.com/security/VSV00008/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
- https://varnish-cache.org/security/VSV00008.html
- https://www.debian.org/security/2022/dsa-5088
- https://docs.varnish-software.com/security/VSV00008/
- https://lists.debian.org/debian-lts-announce/2022/02/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UMMDMQWNAE3BTSZUHXQHVAMZC5TLHLYT/
- https://varnish-cache.org/security/VSV00008.html
- https://www.debian.org/security/2022/dsa-5088
