A flaw was discovered in the HPACK decoder of haproxy before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service. According to the report, there is no risk of escalation or code execution.
Name: Tim Düsterhus, Willy Tarreau
RHSCL package startup with alpn h2 set.
systemctl status rh-haproxy18-haproxy.service -l
Sep 20 13:23:19 host systemd: Starting HAProxy Load Balancer...
Sep 20 13:23:19 host haproxy: [ALERT] 262/132319 (29405) : parsing [/etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg:68] : 'bind *:5000' : 'alpn' : library does not support TLS ALPN extension
Sep 20 13:23:19 host haproxy: [ALERT] 262/132319 (29405) : Error(s) found in configuration file : /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
Sep 20 13:23:19 host haproxy: [ALERT] 262/132319 (29405) : Fatal errors found in configuration.
Sep 20 13:23:19 host systemd: rh-haproxy18-haproxy.service: control process exited, code=exited status=1
Sep 20 13:23:19 host systemd: Failed to start HAProxy Load Balancer.
Sep 20 13:23:19 host systemd: Unit rh-haproxy18-haproxy.service entered failed state.
Sep 20 13:23:19 host systemd: rh-haproxy18-haproxy.service failed.
[root@host haproxy]# haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_SYSTEMD=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
Unembargoed, announced via upstream.
Created haproxy tracking bugs for this issue:
Affects: fedora-all [bug 1631538]
After much effort, we were unable to reproduce this on RHEL-7 on the RHSCL packaged version of haproxy. While the package does not currently support ALPN due to a build against an older version of openssl, it does support NPN, which may be another vector into the target subsystem. As such, the version may be vulnerable, and thus may be patched in the future.
This issue has been addressed in the OpenShift Container Platform 3.11 GA release.
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
Via RHSA-2018:2882 https://access.redhat.com/errata/RHSA-2018:2882
HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, .
HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, . Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, . OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.
Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.