CVE-2022-45060: 
Rocky Linux vulnerability analysis and mitigation

An HTTP Request Forgery vulnerability (CVE-2022-45060) was discovered in Varnish Cache versions 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. The vulnerability was discovered and reported by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo, and was publicly disclosed on November 8, 2022 (Varnish Advisory).

The vulnerability allows attackers to perform request forgery attacks on Varnish Cache servers with HTTP/2 protocol enabled. An attacker can introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

This vulnerability could be exploited to successfully exploit vulnerabilities in servers behind the Varnish server by manipulating HTTP requests. The potential impact includes request forgery towards the backend systems, which could lead to unauthorized access or manipulation of backend services (Varnish Advisory).

The recommended solution is to upgrade to patched versions: Varnish Cache 6.0.11, 7.1.2, or 7.2.1. If upgrading is not possible, a workaround can be implemented by adding a VCL snippet at the beginning of vcl_recv function to check for problematic characters in request URLs and methods, returning a 400 'Bad request' response if found (Varnish Advisory).

Multiple Linux distributions have released security advisories and patches for this vulnerability, including Red Hat Enterprise Linux, Fedora, and Debian. Red Hat rated this update as having a security impact of Important (Red Hat Advisory).