CVE-2022-38150 - OpenCVE

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Varnish Cache Project	Varnish Cache

Configuration 1 [-]

OR	cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.0:::::::*
	cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.1:::::::*
	cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.2:::::::*
	cpe:2.3:a:varnish_cache_project:varnish_cache:7.1.0:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

No data.

References

Link	Providers
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/
https://nvd.nist.gov/vuln/detail/CVE-2022-38150
https://varnish-cache.org/security/VSV00009.html
https://www.cve.org/CVERecord?id=CVE-2022-38150

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-08-11T00:00:00

Updated: 2024-08-03T10:45:52.855Z

Reserved: 2022-08-11T00:00:00

Link: CVE-2022-38150

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-11T01:15:10.847

Modified: 2023-11-07T03:50:03.810

Link: CVE-2022-38150

Redhat

Severity : Moderate

Publid Date: 2022-08-09T00:00:00Z

Links: CVE-2022-38150 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38150", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T10:45:52.855Z", "dateReserved": "2022-08-11T00:00:00", "datePublished": "2022-08-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-11-26T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://varnish-cache.org/security/VSV00009.html"}, {"name": "FEDORA-2022-1fa6d1ed2f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/"}, {"name": "FEDORA-2022-99702d9bdd", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/"}, {"name": "FEDORA-2022-99c5ddb2ae", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:45:52.855Z"}, "title": "CVE Program Container", "references": [{"url": "https://varnish-cache.org/security/VSV00009.html", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-1fa6d1ed2f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/"}, {"name": "FEDORA-2022-99702d9bdd", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/"}, {"name": "FEDORA-2022-99c5ddb2ae", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8D48E766-F2CC-41FC-9592-5C379E9D0536", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "EF3C4377-D484-4017-9B4D-460E6ADB5089", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "5CE74425-2ACB-4EB8-A0F1-C103F9EA3790", "vulnerable": true}, {"criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DFAE65ED-9F38-4844-A248-5898A6272FA3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1."}, {"lang": "es", "value": "En Varnish Cache versiones 7.0.0, 7.0.1, 7.0.2 y 7.1.0, es posible causar que el servidor Varnish sea afirmado y reiniciado autom\u00e1ticamente mediante respuestas backend HTTP/1 falsificadas. Un ataque usa una frase de raz\u00f3n dise\u00f1ada de la l\u00ednea de estado de la respuesta del backend. Esto ha sido corregido en versiones 7.0.3 y 7.1.1"}], "id": "CVE-2022-38150", "lastModified": "2023-11-07T03:50:03.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-11T01:15:10.847", "references": [{"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://varnish-cache.org/security/VSV00009.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Anthony Schwartz as the original reporter.", "bugzilla": {"description": "varnish: denial of service via colon-starting reason phrase", "id": "2117692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117692"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.", "A flaw was found in Varnish where a denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. To execute an attack, the attacker needs the ability to influence the HTTP/1 responses that the Varnish Server receives from its configured backends, causing the Varnish Server to assert and automatically restart."], "mitigation": {"lang": "en:us", "value": "As mentioned in the upstream security advisory, If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the vcl_backend_response VCL function:\n```\nsub vcl_backend_response {\nset beresp.status = beresp.status;\n}\n```\nBy setting the status code to itself as described above, the reason field will automatically be reset to the standard value for the given status code, or \u201cUnknown HTTP Status\u201d if no standard value exists for that code. This would overwrite any existing attack content in the reason field."}, "name": "CVE-2022-38150", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "varnish:6/varnish", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "varnish:6/varnish-modules", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "varnish-modules", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "varnish", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "varnish-modules", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-varnish6-jemalloc", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-varnish6-varnish", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-varnish6-varnish-modules", "product_name": "Red Hat Software Collections"}], "public_date": "2022-08-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-38150\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38150"], "threat_severity": "Moderate", "upstream_fix": "varnish 7.0.3, varnish 7.1.1"}