Lucene search

K
amazonAmazonALAS-2022-1632
HistoryAug 15, 2022 - 6:37 p.m.

Important: varnish

2022-08-1518:37:00
alas.aws.amazon.com
6

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

74.0%

Issue Overview:

A flaw was found in Varnish. This flaw allows an attacker to carry out a request smuggling attack on HTTP/1 connections on Varnish cache servers. This smuggled request goes through the usual Varnish Configuration Language (VCL) processing since the Varnish server treats it as an additional request. (CVE-2022-23959)

Affected Packages:

varnish

Issue Correction:
Run yum update varnish to update your system.

New Packages:

i686:  
    varnish-libs-4.0.5-3.23.amzn1.i686  
    varnish-libs-devel-4.0.5-3.23.amzn1.i686  
    varnish-docs-4.0.5-3.23.amzn1.i686  
    varnish-4.0.5-3.23.amzn1.i686  
    varnish-debuginfo-4.0.5-3.23.amzn1.i686  
  
src:  
    varnish-4.0.5-3.23.amzn1.src  
  
x86_64:  
    varnish-libs-4.0.5-3.23.amzn1.x86_64  
    varnish-libs-devel-4.0.5-3.23.amzn1.x86_64  
    varnish-4.0.5-3.23.amzn1.x86_64  
    varnish-docs-4.0.5-3.23.amzn1.x86_64  
    varnish-debuginfo-4.0.5-3.23.amzn1.x86_64  

Additional References

Red Hat: CVE-2022-23959

Mitre: CVE-2022-23959

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.004 Low

EPSS

Percentile

74.0%

Related for ALAS-2022-1632