Bug 1819111 (CVE-2020-11100) - CVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
Summary: CVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds w...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1819563 1819515 1819516 1819517 1819518 1819519 1819557 1819562 1819824 1820020 1820021 1820022 1820185
Blocks: 1819113 1819848
TreeView+ depends on / blocked
 
Reported: 2020-03-31 08:48 UTC by Marian Rehak
Modified: 2020-05-20 23:19 UTC (History)
29 users (show)

Fixed In Version: haproxy 2.1.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way HAProxy processed certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running HAProxy.
Clone Of:
Environment:
Last Closed: 2020-04-02 16:31:59 UTC


Attachments (Terms of Use)
Description + proposed patch (2.49 KB, application/mbox)
2020-03-31 08:55 UTC, Marian Rehak
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1327 None None None 2020-04-06 13:19:01 UTC
Red Hat Product Errata RHBA-2020:1328 None None None 2020-04-06 14:39:14 UTC
Red Hat Product Errata RHSA-2020:1287 None None None 2020-04-07 19:43:16 UTC
Red Hat Product Errata RHSA-2020:1288 None None None 2020-04-02 14:05:29 UTC
Red Hat Product Errata RHSA-2020:1289 None None None 2020-04-02 13:40:17 UTC
Red Hat Product Errata RHSA-2020:1290 None None None 2020-04-02 13:49:35 UTC
Red Hat Product Errata RHSA-2020:1936 None None None 2020-05-04 10:17:48 UTC

Description Marian Rehak 2020-03-31 08:48:59 UTC
A flaw was found in the way haproxy processed certain HTTP/2 request packets. An attacker could send crafted HTTP/2 request packets which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running haproxy.

Comment 1 Marian Rehak 2020-03-31 08:55:22 UTC
Created attachment 1675022 [details]
Description + proposed patch

Comment 2 Ryan O'Hara 2020-03-31 16:20:08 UTC
This was assigned CVE-2020-11100.

Any change the product bugs are coming soon?

Comment 21 Eric Christensen 2020-04-01 17:27:42 UTC
Statement:

HAProxy packages shipped with Red Hat Enterprise Linux 6 and 7 do not contain support for HTTP/2; therefore, they are not affected by this flaw.

OpenShift Container Platform versions through 4.3 contain the vulnerable code; exploitation requires setting ROUTER_USE_HTTP2 in the OpenShift Ingress Operator, which is not currently possible. The impact of this vulnerability is therefore reduced in OCP 4.x, prior to version 4.4, to low.

OpenShift Container Platform 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy. However, it is not enabled by default on that version.

Comment 27 Huzaifa S. Sidhpurwala 2020-04-02 05:26:22 UTC
Acknowledgments:

Name: the HAProxy project
Upstream: Felix Wilhelm (Google Project Zero)

Comment 31 Huzaifa S. Sidhpurwala 2020-04-02 13:09:26 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1820185]

Comment 32 Huzaifa S. Sidhpurwala 2020-04-02 13:10:21 UTC
Upstream commit at: https://git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88

Comment 33 errata-xmlrpc 2020-04-02 13:40:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1289 https://access.redhat.com/errata/RHSA-2020:1289

Comment 34 errata-xmlrpc 2020-04-02 13:49:33 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:1290 https://access.redhat.com/errata/RHSA-2020:1290

Comment 37 errata-xmlrpc 2020-04-02 14:05:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1288 https://access.redhat.com/errata/RHSA-2020:1288

Comment 40 Huzaifa S. Sidhpurwala 2020-04-02 15:24:46 UTC
Mitigation:

This issue can be mitigated by not enabling support for HTTP/2 protocol. Upstream suggests that HTTP/2 can be enabled per front-end server by using the following documentation: https://www.haproxy.com/documentation/hapee/1-8r1/traffic-management/enable-http2-protocol/.

You can check if http2 is enabled by searching your haproxy configuration files for a line containing 'h2'.

To mitigate this vulnerability in OpenShift Container Platform 3.11, keep HTTP/2 disabled as it is by default. You can verify if HTTP/2 support is enabled or not by following the instructions in following article: https://access.redhat.com/security/vulnerabilities/haproxy

On Red Hat Enterprise Linux 8, haproxy is confined by SELinux, which should mitigate remote arbitrary code execution.

Comment 41 Product Security DevOps Team 2020-04-02 16:31:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11100

Comment 42 errata-xmlrpc 2020-04-07 19:43:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:1287 https://access.redhat.com/errata/RHSA-2020:1287

Comment 43 errata-xmlrpc 2020-05-04 10:17:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:1936 https://access.redhat.com/errata/RHSA-2020:1936


Note You need to log in before you can comment on or make changes to this bug.