CVE-2022-45059: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-45059 is a request smuggling vulnerability discovered in Varnish Cache 7.x before 7.1.2 and 7.2.x before 7.2.1. The vulnerability was disclosed on November 8, 2022. The issue affects Varnish Cache servers where attackers can perform request smuggling attacks by requesting certain headers to be made hop-by-hop, which prevents the servers from forwarding critical headers to the backend (Varnish Advisory).

The vulnerability allows attackers to manipulate how headers are handled between Varnish Cache servers and backend systems. Specifically, attackers can filter critical headers such as Content-Length and Host through hop-by-hop manipulation, enabling them to break HTTP/1 protocol framing and bypass request to host routing in VCL. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability can allow attackers to break HTTP/1 protocol framing and bypass request to host routing in VCL. This could potentially lead to unauthorized access to backend systems and manipulation of request handling between Varnish Cache servers and backend systems (Varnish Advisory).

The issue has been fixed in Varnish Cache versions 7.1.2 and 7.2.1. For systems that cannot immediately upgrade, a mitigation is available by adding specific VCL code at the beginning of the vcl_recv function to filter Connection-header tokens. The mitigation involves implementing a regular expression check that returns a 400 'Bad request' response for unauthorized tokens in the Connection-header (Varnish Advisory).

The vulnerability was discovered and reported by Martin van Kervel Smedshammer, a Graduate Student at the University of Oslo. The issue was addressed promptly with security updates being released for various distributions including Fedora (Fedora Update).