CVE-2022-23959: 
Alma Linux vulnerability analysis and mitigation

CVE-2022-23959 is a request smuggling vulnerability discovered in Varnish Cache, affecting HTTP/1 connections. The vulnerability was identified in Varnish Cache before version 6.6.2, 7.x before 7.0.2, Varnish Cache 6.0 LTS before 6.0.10, and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6.0.x before 6.0.9r4. The vulnerability was discovered and reported by James Kettle, Director of Research at PortSwigger (Varnish Advisory).

The vulnerability allows an attacker to perform request smuggling attacks on HTTP/1 connections to Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, going through normal VCL processing, and being injected as a spurious response on the client connection. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability can lead to information disclosure and cache poisoning. Smuggled requests appear in the logs generated by Varnish as normal requests, making detection challenging without comparing Varnish logs with logs from proxy software between the Varnish server and the client (Varnish Advisory).

The primary mitigation is to upgrade to the fixed versions: Varnish Cache 6.6.2, 7.0.2, or 6.0 LTS version 6.0.10. If upgrading is not possible, a workaround involves implementing VCL configuration that prevents connection reuse on HTTP/1 client connections once a request body has been seen on the connection. This can be achieved by adding specific VCL code that sets the Connection header to 'close' under certain conditions (Varnish Advisory).

The vulnerability was responsibly disclosed and patched across multiple distributions including Debian, Ubuntu, and Fedora. Debian issued security advisories (DSA-5088-1 and DLA-2920-1) to address the vulnerability in their distributions (Debian Advisory).