Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2141844 (CVE-2022-45060) - CVE-2022-45060 varnish: Request Forgery Vulnerability
Summary: CVE-2022-45060 varnish: Request Forgery Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-45060
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2141847 2141848 2142088 2142089 2142090 2142091 2142092 2142093 2142094 2142095 2142096 2142097
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-10 20:52 UTC by Marco Benatto
Modified: 2023-02-11 11:39 UTC (History)
3 users (show)

Fixed In Version: varnish-7.1.2, varnish-7.2.1, varnish-6.0.11
Doc Type: ---
Doc Text:
An HTTP Request Forgery issue was discovered in Varnish Cache. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could be used to exploit vulnerabilities in a server behind the Varnish server.
Clone Of:
Environment:
Last Closed: 2023-02-11 11:39:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:0701 0 None None None 2023-02-09 07:54:41 UTC
Red Hat Product Errata RHSA-2022:8643 0 None None None 2022-11-28 10:11:07 UTC
Red Hat Product Errata RHSA-2022:8644 0 None None None 2022-11-28 10:20:12 UTC
Red Hat Product Errata RHSA-2022:8645 0 None None None 2022-11-28 10:27:52 UTC
Red Hat Product Errata RHSA-2022:8646 0 None None None 2022-11-28 10:30:01 UTC
Red Hat Product Errata RHSA-2022:8647 0 None None None 2022-11-28 10:33:38 UTC
Red Hat Product Errata RHSA-2022:8649 0 None None None 2022-11-28 10:50:14 UTC
Red Hat Product Errata RHSA-2022:8650 0 None None None 2022-11-28 10:50:28 UTC
Red Hat Product Errata RHSA-2023:0673 0 None None None 2023-02-08 17:25:26 UTC

Description Marco Benatto 2022-11-10 20:52:40 UTC
An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Comment 1 Marco Benatto 2022-11-10 20:54:04 UTC
Created varnish tracking bugs for this issue:

Affects: epel-7 [bug 2141848]
Affects: fedora-all [bug 2141847]

Comment 4 Marco Benatto 2022-11-11 15:24:25 UTC
Public upstream commit for this issue:
https://github.com/varnishcache/varnish-cache/commit/687ffb6452ba570778a83b6eb1df8ac1b31d9221

Comment 5 errata-xmlrpc 2022-11-28 10:11:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8643 https://access.redhat.com/errata/RHSA-2022:8643

Comment 6 errata-xmlrpc 2022-11-28 10:20:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8644 https://access.redhat.com/errata/RHSA-2022:8644

Comment 7 errata-xmlrpc 2022-11-28 10:27:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8645 https://access.redhat.com/errata/RHSA-2022:8645

Comment 8 errata-xmlrpc 2022-11-28 10:30:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8646 https://access.redhat.com/errata/RHSA-2022:8646

Comment 9 errata-xmlrpc 2022-11-28 10:33:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:8647 https://access.redhat.com/errata/RHSA-2022:8647

Comment 10 errata-xmlrpc 2022-11-28 10:50:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:8649 https://access.redhat.com/errata/RHSA-2022:8649

Comment 11 errata-xmlrpc 2022-11-28 10:50:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2022:8650 https://access.redhat.com/errata/RHSA-2022:8650

Comment 12 errata-xmlrpc 2023-02-08 17:25:25 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0673 https://access.redhat.com/errata/RHSA-2023:0673

Comment 13 Product Security DevOps Team 2023-02-11 11:39:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-45060


Note You need to log in before you can comment on or make changes to this bug.