A flaw was found in haproxy in versions 2.0 and later. A weakness in the HTX code allows it to bypass the check for duplicate content-length header and inject a second fake one leading to request smuggling attack or possibly a response splitting one.
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 2002411]
haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by HAProxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request. RHEL7 and RHEL8 are not affected by flaw: However to mitigate this problem the following can be added to proxy config: http-request deny if { req.hdr_cnt(content-length) gt 1 } http-response deny if { res.hdr_cnt(content-length) gt 1 }
Patch for issue: https://git.haproxy.org/?p=haproxy-2.4.git;a=blobdiff;f=include/haproxy/htx.h;h=a6535237b18ce78d01ef4ca88618082b3ba45853;hp=b6d95274e9d35e729850502b4883c65aabbeef9f;hb=1fd2566683f6fb66b180ce9c3d9062ddaa81d6d7;hpb=86cb2cd3c68a0f3072a326def89449e10760423d
References: https://thehackernews.com/2021/09/haproxy-found-vulnerable-to-critical.html
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:4118 https://access.redhat.com/errata/RHSA-2021:4118
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40346
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:5208 https://access.redhat.com/errata/RHSA-2021:5208
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:0024 https://access.redhat.com/errata/RHSA-2022:0024
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0114 https://access.redhat.com/errata/RHSA-2022:0114