Bug 1663060 (CVE-2018-20615) - CVE-2018-20615 haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash
Summary: CVE-2018-20615 haproxy: Mishandling of priority flag in short HEADERS frame b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20615
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1663079 1663080 1663081 1663083 1663084 1663378 1663379 1663380 1664533
Blocks: 1663061
TreeView+ depends on / blocked
 
Reported: 2019-01-02 23:53 UTC by Sam Fowler
Modified: 2019-09-29 15:04 UTC (History)
31 users (show)

Fixed In Version: haproxy 1.8.17, haproxy 1.9.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:44:40 UTC


Attachments (Terms of Use)
Patch (1.18 KB, application/mbox)
2019-01-02 23:56 UTC, Sam Fowler
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0275 None None None 2019-02-05 08:23:48 UTC
Red Hat Product Errata RHSA-2019:0547 None None None 2019-03-14 07:58:06 UTC
Red Hat Product Errata RHSA-2019:0548 None None None 2019-03-14 07:57:47 UTC

Description Sam Fowler 2019-01-02 23:53:46 UTC
HAProxy before versions 1.8.17 and 1.9.1 mishandles when a priority flag is set on too short a HEADERS frame in the HTTP/2 decoder, allowing for an out-of-bounds read and subsequent crash. A remote attacker could exploit this to cause a denial of service.

Those who do not use HTTP/2 are unaffected.

Comment 1 Sam Fowler 2019-01-02 23:56:34 UTC
Created attachment 1518051 [details]
Patch

Comment 3 Jason Shepherd 2019-01-03 00:28:41 UTC
Mitigation:

HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].

[1] https://github.com/openshift/origin/pull/19968

Comment 6 Doran Moppert 2019-01-03 04:43:25 UTC
Statement:

HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw, see [1]. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.

Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.

[1] http://www.haproxy.org/news.html
[2] https://github.com/openshift/origin/pull/19968
[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html

Comment 9 James Hebden 2019-01-04 06:45:02 UTC
Set Moderate product-specific impact on RHOSP haproxy container images given:
- HTTP/2 is not enabled for OpenStack deployments behind haproxy
- All haproxy packages come from RHEL directly, and are not repackaged.

I have left the affects in place however as we should ensure container images are updated to include the fixed package, in the unlikely case customers have customized the configuration to manually enable HTTP/2.
I have also added RHOS-12 and RHOS-13, given they made container images available for haproxy and these could optionally be deployed during RHOS deployment.

OpenStack Statement:
All editions of RHOS ship with HTTP/2 disabled on all haproxy instances by default, so are not impacted by this flaw. Customers who have customised their deployments to enable HTTP/2 should ensure they update haproxy and haproxy containers.

Comment 18 errata-xmlrpc 2019-02-05 08:23:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:0275 https://access.redhat.com/errata/RHSA-2019:0275

Comment 19 errata-xmlrpc 2019-03-14 07:57:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:0548 https://access.redhat.com/errata/RHSA-2019:0548

Comment 20 errata-xmlrpc 2019-03-14 07:58:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2019:0547 https://access.redhat.com/errata/RHSA-2019:0547


Note You need to log in before you can comment on or make changes to this bug.