Bug 2231370 (CVE-2023-40225)

Summary: CVE-2023-40225 haproxy: Proxy forwards malformed empty Content-Length headers
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, amctagga, aoconnor, bniver, chazlett, dfreiber, eaguilar, ebaron, flucifre, gmeno, gsuckevi, hhorak, jburrell, jkang, jorton, jpallich, mbenjamin, mhackett, pjindal, redhat-bugzilla, rogbas, rohara, sfroberg, sostapov, vereddy, vkumar, vumrao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: haproxy 2.6.15, haproxy 2.7.10, haproxy 2.8.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HAProxy. Empty Content-Length headers are forwarded, which could cause an HTTP/1 server behind it to interpret the payload as an extra request. This may render the HTTP/1 server vulnerable to attacks in some uncommon cases.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2231372, 2231384, 2231371, 2231381, 2231382, 2231383    
Bug Blocks: 2231385    

Description Pedro Sampaio 2023-08-11 12:29:49 UTC 
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

References:

https://www.haproxy.org/download/2.8/src/CHANGELOG
https://www.haproxy.org/download/2.6/src/CHANGELOG
https://github.com/haproxy/haproxy/issues/2237
https://www.haproxy.org/download/2.7/src/CHANGELOG
https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
Comment 1 Pedro Sampaio 2023-08-11 12:33:45 UTC 
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 2231371]


Created haproxy18 tracking bugs for this issue:

Affects: epel-7 [bug 2231372]
Comment 5 Robert Scheck 2023-08-13 08:36:38 UTC 
Please note that HAProxy versions before version 2.0, e.g. 1.8 as shipped in RHEL 8 or 1.5 as shipped in RHEL 7, are also affected. See https://github.com/haproxy/haproxy/issues/2237#issuecomment-1676113850 (and comment replies) for more details.
Comment 9 errata-xmlrpc 2023-11-29 12:08:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7473 https://access.redhat.com/errata/RHSA-2023:7473
Comment 10 errata-xmlrpc 2023-12-06 00:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:7606 https://access.redhat.com/errata/RHSA-2023:7606
Comment 11 errata-xmlrpc 2024-01-17 19:23:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0200 https://access.redhat.com/errata/RHSA-2024:0200
Comment 12 errata-xmlrpc 2024-01-24 21:04:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2024:0308 https://access.redhat.com/errata/RHSA-2024:0308
Comment 14 errata-xmlrpc 2024-02-27 22:28:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 15 errata-xmlrpc 2024-03-05 08:17:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1089 https://access.redhat.com/errata/RHSA-2024:1089
Comment 16 errata-xmlrpc 2024-03-05 18:15:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1142 https://access.redhat.com/errata/RHSA-2024:1142