Bug 1630048 – CVE-2018-14645 haproxy: Out-of-bounds read in HPACK decoder

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1630048 - (CVE-2018-14645) CVE-2018-14645 haproxy: Out-of-bounds read in HPACK decoder

Summary:	CVE-2018-14645 haproxy: Out-of-bounds read in HPACK decoder

Status:	NEW

Aliases:	CVE-2018-14645

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20180920:1200...
Keywords:	Security

Depends On:	1630098 1630099 1630503 1631539 1630096 1630097 1630502 1631538
Blocks:	1630053
	Show dependency tree / graph

Reported:	2018-09-17 17:24 EDT by Pedro Sampaio
Modified:	2018-10-08 06:05 EDT (History)
CC List:	23 users (show)

See Also:
Fixed In Version:	haproxy 1.8.14
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was discovered in the HPACK decoder of haproxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2882	None	None	None	2018-10-08 06:05 EDT

Groups: None (edit)

Description Pedro Sampaio 2018-09-17 17:24:47 EDT

A flaw was discovered in the HPACK decoder of haproxy before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service. According to the report, there is no risk of escalation or code execution.

Comment 3 Jason Shepherd 2018-09-17 20:10:51 EDT

Mitigation:

HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify it HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].

[1] https://github.com/openshift/origin/pull/19968

Comment 9 Jason Shepherd 2018-09-20 01:13:51 EDT

Acknowledgments:

Name: Tim Düsterhus, Willy Tarreau

Comment 12 Scott Gayou 2018-09-20 14:11:07 EDT

RHSCL package startup with alpn h2 set.

systemctl status rh-haproxy18-haproxy.service -l
...
Sep 20 13:23:19 host systemd[1]: Starting HAProxy Load Balancer...
Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : parsing [/etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg:68] : 'bind *:5000' : 'alpn' : library does not support TLS ALPN extension
Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : Error(s) found in configuration file : /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : Fatal errors found in configuration.
Sep 20 13:23:19 host systemd[1]: rh-haproxy18-haproxy.service: control process exited, code=exited status=1
Sep 20 13:23:19 host systemd[1]: Failed to start HAProxy Load Balancer.
Sep 20 13:23:19 host systemd[1]: Unit rh-haproxy18-haproxy.service entered failed state.
Sep 20 13:23:19 host systemd[1]: rh-haproxy18-haproxy.service failed.
[root@host haproxy]# haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
	[SPOE] spoe
	[COMP] compression
	[TRACE] trace

Comment 13 Scott Gayou 2018-09-20 15:42:53 EDT

Unembargoed, announced via upstream.

https://www.mail-archive.com/haproxy@formilux.org/msg31253.html

Comment 14 Scott Gayou 2018-09-20 15:43:02 EDT

External References:

https://www.mail-archive.com/haproxy@formilux.org/msg31253.html

Comment 15 Scott Gayou 2018-09-20 15:54:10 EDT

Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1631538]

Comment 17 Jason Shepherd 2018-09-24 02:39:38 EDT

Statement:

HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.

Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.

[1] http://www.haproxy.org/news.html
[2] https://github.com/openshift/origin/pull/19968
[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html

Comment 20 Scott Gayou 2018-09-25 18:19:56 EDT

After much effort, we were unable to reproduce this on RHEL-7 on the RHSCL packaged version of haproxy. While the package does not currently support ALPN due to a build against an older version of openssl, it does support NPN, which may be another vector into the target subsystem. As such, the version may be vulnerable, and thus may be patched in the future.

Comment 21 Jason Shepherd 2018-10-02 21:18:16 EDT

This issue has been addressed in the OpenShift Container Platform 3.11 GA release.

Comment 22 Tomas Hoger 2018-10-04 15:26:51 EDT

Upstream commit:

http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=b4e05a3daa30f657db01ec144a0e48850c48f813

Comment 23 errata-xmlrpc 2018-10-08 06:04:57 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2882 https://access.redhat.com/errata/RHSA-2018:2882

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
ahardin
bbennett
bleanhar
bperkins
carl
ccoleman
dbaker
dedgar
dmace
eparis
hhorak
jeremy
jgoulding
jokerman
jorton
jshepherd
mchappel
rohara
security-response-team
sgayou
sthangav
trankin