A flaw was discovered in the HPACK decoder of haproxy before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service. According to the report, there is no risk of escalation or code execution.
Acknowledgments: Name: Tim Düsterhus, Willy Tarreau
RHSCL package startup with alpn h2 set. systemctl status rh-haproxy18-haproxy.service -l ... Sep 20 13:23:19 host systemd[1]: Starting HAProxy Load Balancer... Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : parsing [/etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg:68] : 'bind *:5000' : 'alpn' : library does not support TLS ALPN extension Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : Error(s) found in configuration file : /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg Sep 20 13:23:19 host haproxy[29405]: [ALERT] 262/132319 (29405) : Fatal errors found in configuration. Sep 20 13:23:19 host systemd[1]: rh-haproxy18-haproxy.service: control process exited, code=exited status=1 Sep 20 13:23:19 host systemd[1]: Failed to start HAProxy Load Balancer. Sep 20 13:23:19 host systemd[1]: Unit rh-haproxy18-haproxy.service entered failed state. Sep 20 13:23:19 host systemd[1]: rh-haproxy18-haproxy.service failed. [root@host haproxy]# haproxy -vv HA-Proxy version 1.8.4-1deb90d 2018/02/08 Copyright 2000-2018 Willy Tarreau <willy> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Encrypted password support via crypt(3): yes Built with multi-threading support. Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with zlib version : 1.2.7 Running on zlib version : 1.2.7 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with network namespace support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace
Unembargoed, announced via upstream. https://www.mail-archive.com/haproxy@formilux.org/msg31253.html
External References: https://www.mail-archive.com/haproxy@formilux.org/msg31253.html
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 1631538]
After much effort, we were unable to reproduce this on RHEL-7 on the RHSCL packaged version of haproxy. While the package does not currently support ALPN due to a build against an older version of openssl, it does support NPN, which may be another vector into the target subsystem. As such, the version may be vulnerable, and thus may be patched in the future.
This issue has been addressed in the OpenShift Container Platform 3.11 GA release.
Upstream commit: http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=b4e05a3daa30f657db01ec144a0e48850c48f813
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:2882 https://access.redhat.com/errata/RHSA-2018:2882
Mitigation: HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1]. [1] https://github.com/openshift/origin/pull/19968
Statement: HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled. Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7. [1] http://www.haproxy.org/news.html [2] https://github.com/openshift/origin/pull/19968 [3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html