Bug 1819111 (CVE-2020-11100)

Summary: CVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: amcdermo, bbennett, benbennett, bmontgom, bperkins, carl, dhansen, dmace, dominik.mierzejewski, eparis, hhorak, hongli, jburrell, jeremy, jokerman, jorton, jrusnack, jshepherd, jshortt, madale, mmasters, nstielau, pavloos, pmatouse, rohara, rrackow, rsandu, security-response-team, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: haproxy 2.1.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way HAProxy processed certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running HAProxy.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-02 16:31:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1819515, 1819516, 1819517, 1819518, 1819519, 1819557, 1819562, 1819563, 1819824, 1820020, 1820021, 1820022, 1820185    
Bug Blocks: 1819113, 1819848    
Attachments:
Description Flags
Description + proposed patch none

Description Marian Rehak 2020-03-31 08:48:59 UTC
A flaw was found in the way haproxy processed certain HTTP/2 request packets. An attacker could send crafted HTTP/2 request packets which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running haproxy.

Comment 1 Marian Rehak 2020-03-31 08:55:22 UTC
Created attachment 1675022 [details]
Description + proposed patch

Comment 2 Ryan O'Hara 2020-03-31 16:20:08 UTC
This was assigned CVE-2020-11100.

Any change the product bugs are coming soon?

Comment 21 Eric Christensen 2020-04-01 17:27:42 UTC
Statement:

HAProxy packages shipped with Red Hat Enterprise Linux 6 and 7 do not contain support for HTTP/2; therefore, they are not affected by this flaw.

OpenShift Container Platform versions through 4.3 contain the vulnerable code; exploitation requires setting ROUTER_USE_HTTP2 in the OpenShift Ingress Operator, which is not currently possible. The impact of this vulnerability is therefore reduced in OCP 4.x, prior to version 4.4, to low.

OpenShift Container Platform 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy. However, it is not enabled by default on that version.

Comment 27 Huzaifa S. Sidhpurwala 2020-04-02 05:26:22 UTC
Acknowledgments:

Name: the HAProxy project
Upstream: Felix Wilhelm (Google Project Zero)

Comment 31 Huzaifa S. Sidhpurwala 2020-04-02 13:09:26 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1820185]

Comment 32 Huzaifa S. Sidhpurwala 2020-04-02 13:10:21 UTC
Upstream commit at: https://git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88

Comment 33 errata-xmlrpc 2020-04-02 13:40:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1289 https://access.redhat.com/errata/RHSA-2020:1289

Comment 34 errata-xmlrpc 2020-04-02 13:49:33 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:1290 https://access.redhat.com/errata/RHSA-2020:1290

Comment 37 errata-xmlrpc 2020-04-02 14:05:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1288 https://access.redhat.com/errata/RHSA-2020:1288

Comment 40 Huzaifa S. Sidhpurwala 2020-04-02 15:24:46 UTC
Mitigation:

This issue can be mitigated by not enabling support for HTTP/2 protocol. Upstream suggests that HTTP/2 can be enabled per front-end server by using the following documentation: https://www.haproxy.com/documentation/hapee/1-8r1/traffic-management/enable-http2-protocol/.

You can check if http2 is enabled by searching your haproxy configuration files for a line containing 'h2'.

To mitigate this vulnerability in OpenShift Container Platform 3.11, keep HTTP/2 disabled as it is by default. You can verify if HTTP/2 support is enabled or not by following the instructions in following article: https://access.redhat.com/security/vulnerabilities/haproxy

On Red Hat Enterprise Linux 8, haproxy is confined by SELinux, which should mitigate remote arbitrary code execution.

Comment 41 Product Security DevOps Team 2020-04-02 16:31:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11100

Comment 42 errata-xmlrpc 2020-04-07 19:43:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:1287 https://access.redhat.com/errata/RHSA-2020:1287

Comment 43 errata-xmlrpc 2020-05-04 10:17:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:1936 https://access.redhat.com/errata/RHSA-2020:1936