Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
H
homepage
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
homepage
Commits
c27afc39
Commit
c27afc39
authored
Oct 06, 2022
by
Martin Blix Grydeland
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
VSV00010.rst landing page
parent
b0eba137
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
63 additions
and
0 deletions
+63
-0
VSV00010.rst
R1/source/security/VSV00010.rst
+63
-0
No files found.
R1/source/security/VSV00010.rst
0 → 100644
View file @
c27afc39
.. _VSV00010:
VSV00010 Varnish Request Smuggling Vulnerability
================================================
Date: <TBD>
A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the
backend. Among the headers that can be filtered this way are both
`Content-Length` and `Host`, making it possible for an attacker to both
break the HTTP/1 protocol framing, and bypass request to host routing
in VCL.
Versions affected
-----------------
* Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0
Versions not affected
---------------------
* Varnish Cache 7.1.2 (released <TBD>)
* Varnish Cache 7.2.1 (released <TBD>)
* All versions of Varnish Cache 6.0 LTS series and Varnish Cache Plus by
Varnish Software.
* GitHub Varnish Cache master branch at commit <TBD>
Mitigation
----------
If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the `vcl_recv`
VCL function::
sub vcl_recv {
# Start of mitigation for VSV00010
# Tip: Expand the regular expression token list to allow
# additional tokens, e.g. "(close|keep-alive|te|my-header)"
if (regsuball(req.http.connection,
"(?i)((close|keep-alive|te)[ ,]*)", "") !~ "^[ ,]*$") {
return (synth(400));
}
}
This VCL statement would ensure that any attempt to add anything but the
very frequently used tokens `close`, `keep-alive` and `TE` in an incoming
`Connection`-header would be answered with a 400 "Bad request" synthetic
response.
Note that some sites may need to allow other header names as tokens in the
`Connection`-header to function properly. If that is the case for your
site, add any additional headers needed like the commented tip suggests.
Credits
-------
This problem was reported by an external security researcher.
<TODO: Figure out if the OP wants to be credited.>
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
