Bug 1630048 (CVE-2018-14645)

Summary: CVE-2018-14645 haproxy: Out-of-bounds read in HPACK decoder
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, ahardin, bbennett, bleanhar, bperkins, carl, ccoleman, dbaker, dedgar, dmace, eparis, hhorak, jeremy, jgoulding, jokerman, jorton, jshepherd, mchappel, pasik, rohara, security-response-team, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: haproxy 1.8.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the HPACK decoder of haproxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:38:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1630097, 1630098, 1630099, 1630502, 1630503, 1631538, 1631539    
Bug Blocks: 1630053    

Description Pedro Sampaio 2018-09-17 21:24:47 UTC 
A flaw was discovered in the HPACK decoder of haproxy before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service. According to the report, there is no risk of escalation or code execution.
Comment 9 Jason Shepherd 2018-09-20 05:13:51 UTC 
Acknowledgments:

Name: Tim Düsterhus, Willy Tarreau
Comment 12 Scott Gayou 2018-09-20 18:11:07 UTC 
RHSCL package startup with alpn h2 set.

systemctl status rh-haproxy18-haproxy.service -l
...
Sep 20 13:23:19 host systemd[1]: Starting HAProxy Load Balancer...
Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : parsing [/etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg:68] : 'bind *:5000' : 'alpn' : library does not support TLS ALPN extension
Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : Error(s) found in configuration file : /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : Fatal errors found in configuration.
Sep 20 13:23:19 host systemd[1]: rh-haproxy18-haproxy.service: control process exited, code=exited status=1
Sep 20 13:23:19 host systemd[1]: Failed to start HAProxy Load Balancer.
Sep 20 13:23:19 host systemd[1]: Unit rh-haproxy18-haproxy.service entered failed state.
Sep 20 13:23:19 host systemd[1]: rh-haproxy18-haproxy.service failed.
[root@host haproxy]# haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
	[SPOE] spoe
	[COMP] compression
	[TRACE] trace
Comment 13 Scott Gayou 2018-09-20 19:42:53 UTC 
Unembargoed, announced via upstream.

https://www.mail-archive.com/haproxy@formilux.org/msg31253.html
Comment 14 Scott Gayou 2018-09-20 19:43:02 UTC 
External References:

https://www.mail-archive.com/haproxy@formilux.org/msg31253.html
Comment 15 Scott Gayou 2018-09-20 19:54:10 UTC 
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1631538]
Comment 20 Scott Gayou 2018-09-25 22:19:56 UTC 
After much effort, we were unable to reproduce this on RHEL-7 on the RHSCL packaged version of haproxy. While the package does not currently support ALPN due to a build against an older version of openssl, it does support NPN, which may be another vector into the target subsystem. As such, the version may be vulnerable, and thus may be patched in the future.
Comment 21 Jason Shepherd 2018-10-03 01:18:16 UTC 
This issue has been addressed in the OpenShift Container Platform 3.11 GA release.
Comment 22 Tomas Hoger 2018-10-04 19:26:51 UTC 
Upstream commit:

http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=b4e05a3daa30f657db01ec144a0e48850c48f813
Comment 23 errata-xmlrpc 2018-10-08 10:04:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2882 https://access.redhat.com/errata/RHSA-2018:2882
Comment 24 Jason Shepherd 2019-01-03 00:18:26 UTC 
Mitigation:

HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].

[1] https://github.com/openshift/origin/pull/19968
Comment 25 Mauro Matteo Cascella 2020-02-21 15:52:40 UTC 
Statement:

HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.

Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.

[1] http://www.haproxy.org/news.html

[2] https://github.com/openshift/origin/pull/19968

[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html