Bug 1663060 (CVE-2018-20615)

Summary: CVE-2018-20615 haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, ahardin, bleanhar, bmontgom, bperkins, carl, ccoleman, dbaker, dbecker, dedgar, dominik.mierzejewski, eparis, hhorak, jburrell, jeremy, jgoulding, jjoyce, jokerman, jorton, jschluet, kbasil, lhh, lpeer, mburns, mchappel, nstielau, pasik, rohara, sclewis, security-response-team, sfowler, slinaber, sponnaga, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: haproxy 1.8.17, haproxy 1.9.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HAProxy, versions before 1.8.17 and 1.9.1. Mishandling occurs when a priority flag is set on too short HEADERS frame in the HTTP/2 decoder, allowing an out-of-bounds read and a subsequent crash to occur. A remote attacker can exploit this flaw to cause a denial of service. Those who do not use HTTP/2 are unaffected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:44:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1663079, 1663080, 1663081, 1663083, 1663084, 1663378, 1663379, 1663380, 1664533    
Bug Blocks: 1663061    
Attachments:
Description Flags
Patch none

Description Sam Fowler 2019-01-02 23:53:46 UTC 
HAProxy before versions 1.8.17 and 1.9.1 mishandles when a priority flag is set on too short a HEADERS frame in the HTTP/2 decoder, allowing for an out-of-bounds read and subsequent crash. A remote attacker could exploit this to cause a denial of service.

Those who do not use HTTP/2 are unaffected.
Comment 1 Sam Fowler 2019-01-02 23:56:34 UTC 
Created attachment 1518051 [details]
Patch
Comment 3 Jason Shepherd 2019-01-03 00:28:41 UTC 
Mitigation:

HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].

[1] https://github.com/openshift/origin/pull/19968
Comment 9 James Hebden 2019-01-04 06:45:02 UTC 
Set Moderate product-specific impact on RHOSP haproxy container images given:
- HTTP/2 is not enabled for OpenStack deployments behind haproxy
- All haproxy packages come from RHEL directly, and are not repackaged.

I have left the affects in place however as we should ensure container images are updated to include the fixed package, in the unlikely case customers have customized the configuration to manually enable HTTP/2.
I have also added RHOS-12 and RHOS-13, given they made container images available for haproxy and these could optionally be deployed during RHOS deployment.

OpenStack Statement:
All editions of RHOS ship with HTTP/2 disabled on all haproxy instances by default, so are not impacted by this flaw. Customers who have customised their deployments to enable HTTP/2 should ensure they update haproxy and haproxy containers.
Comment 11 Jason Shepherd 2019-01-09 02:57:41 UTC 
Upstream Commit:

http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=a01f45e3ced23c799f6e78b5efdbd32198a75354
Comment 18 errata-xmlrpc 2019-02-05 08:23:47 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:0275 https://access.redhat.com/errata/RHSA-2019:0275
Comment 19 errata-xmlrpc 2019-03-14 07:57:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:0548 https://access.redhat.com/errata/RHSA-2019:0548
Comment 20 errata-xmlrpc 2019-03-14 07:58:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2019:0547 https://access.redhat.com/errata/RHSA-2019:0547
Comment 21 Mauro Matteo Cascella 2020-02-21 15:52:08 UTC 
Statement:

HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw, see [1]. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.

Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.

[1] http://www.haproxy.org/news.html

[2] https://github.com/openshift/origin/pull/19968

[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html