Ubuntu update for varnish
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2019-20637 CVE-2020-11653 CVE-2021-36740 CVE-2022-23959 |
| CWE-ID | CWE-200 CWE-20 CWE-444 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system libvarnishapi2 (Ubuntu package) Operating systems & Components / Operating system package or component varnish (Ubuntu package) Operating systems & Components / Operating system package or component libvarnishapi1 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU30309
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20637
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connection workspace, such as data structures associated with previous requests within this connection or VCL-related temporary headers.
MitigationUpdate the affected package varnish to the latest version.
Vulnerable software versionsUbuntu: 18.04 - 22.04
libvarnishapi2 (Ubuntu package): before 6.2.1-2ubuntu0.1
varnish (Ubuntu package): before 5.2.1-1ubuntu0.1
libvarnishapi1 (Ubuntu package): before 5.2.1-1ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:21.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:libvarnishapi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:varnish_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:libvarnishapi1_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5474-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU30310
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-11653
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.
MitigationUpdate the affected package varnish to the latest version.
Vulnerable software versionsUbuntu: 18.04 - 22.04
libvarnishapi2 (Ubuntu package): before 6.2.1-2ubuntu0.1
varnish (Ubuntu package): before 5.2.1-1ubuntu0.1
libvarnishapi1 (Ubuntu package): before 5.2.1-1ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:21.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:libvarnishapi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:varnish_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:libvarnishapi1_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5474-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU55501
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-36740
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 POST request with a large Content-Length header to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache or bypass VCL authorization.
MitigationUpdate the affected package varnish to the latest version.
Vulnerable software versionsUbuntu: 18.04 - 22.04
libvarnishapi2 (Ubuntu package): before 6.2.1-2ubuntu0.1
varnish (Ubuntu package): before 5.2.1-1ubuntu0.1
libvarnishapi1 (Ubuntu package): before 5.2.1-1ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:21.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:libvarnishapi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:varnish_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:libvarnishapi1_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5474-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU60291
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23959
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to preform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP/1 requests. A remote attacker can send a specially crafted HTTP/1 request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationUpdate the affected package varnish to the latest version.
Vulnerable software versionsUbuntu: 18.04 - 22.04
libvarnishapi2 (Ubuntu package): before 6.2.1-2ubuntu0.1
varnish (Ubuntu package): before 5.2.1-1ubuntu0.1
libvarnishapi1 (Ubuntu package): before 5.2.1-1ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:21.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:libvarnishapi2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:varnish_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:libvarnishapi1_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-5474-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
