Bug 2000599 (CVE-2021-40346)
| Summary: | CVE-2021-40346 haproxy: request smuggling attack or response splitting via duplicate content-length header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bmontgom, bperkins, eparis, hhorak, jburrell, jeremy, jokerman, jorton, mzali, nstielau, pavloos, rohara, sburke, security-response-team, sponnaga, steven.barre, tmanor, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | haproxy 2.4.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while parsing an HTTP request. The highest threat from this vulnerability is integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-10 20:57:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2000621, 2001963, 2002411, 2002412, 2002703, 2002706, 2002708, 2002753, 2003162, 2003180, 2019913 | ||
| Bug Blocks: | 1999861 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-09-02 13:20:50 UTC
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 2002411] haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by HAProxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request.
RHEL7 and RHEL8 are not affected by flaw:
However to mitigate this problem the following can be added to proxy config:
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:4118 https://access.redhat.com/errata/RHSA-2021:4118 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40346 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:5208 https://access.redhat.com/errata/RHSA-2021:5208 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:0024 https://access.redhat.com/errata/RHSA-2022:0024 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0114 https://access.redhat.com/errata/RHSA-2022:0114 |