Vinyl Cache and Varnish Cache HTTP/2 Request Parsing Deficiency Vulnerability Allowing Request Smuggling and Cache Poisoning

A vulnerability exists in Vinyl Cache versions prior to 9.0.1 and Varnish Cache versions prior to 9.0.3, as well as in Varnish Cache releases from 7.6.0 up to and including 8.0.1, and in the Varnish Cache 6.0 LTS series from 6.0.14 up to and including 6.0.17. The issue arises from a deficiency in HTTP/2 request parsing, which can be exploited to launch a backend request desynchronization attack, commonly known as request smuggling. This exploitation can lead to cache poisoning, authentication bypass, and potentially allow for information disclosure and manipulation. The vulnerability is only exploitable if HTTP/2 support is enabled, which is not the default setting.

Impact

Exploitation of this vulnerability can cause request desynchronization on the backend, leading to request smuggling. This allows for cache poisoning, bypassing authentication mechanisms, and potentially disclosing and manipulating information.

Remediation

Users are advised to upgrade to Vinyl Cache 9.0.1 or Varnish Cache 9.0.3. For Varnish Cache, version 8.0.2 is also recommended. If an upgrade is not possible, HTTP/2 support can be disabled. For Varnish Cache, this can be done by removing `-p feature=+http2` from the `varnishd` startup parameters and changing the TLS offloader to no longer send the `h2` ALPN. In Vinyl Cache, HTTP/2 can be disabled by removing `-p feature=+http2` from the `vinyld` startup parameters. Additionally, VCL mitigations are available for both Vinyl Cache and Varnish Cache users.