HAProxy before versions 1.8.17 and 1.9.1 mishandles when a priority flag is set on too short a HEADERS frame in the HTTP/2 decoder, allowing for an out-of-bounds read and subsequent crash. A remote attacker could exploit this to cause a denial of service. Those who do not use HTTP/2 are unaffected.
Created attachment 1518051 [details] Patch
Mitigation: HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1]. [1] https://github.com/openshift/origin/pull/19968
Set Moderate product-specific impact on RHOSP haproxy container images given: - HTTP/2 is not enabled for OpenStack deployments behind haproxy - All haproxy packages come from RHEL directly, and are not repackaged. I have left the affects in place however as we should ensure container images are updated to include the fixed package, in the unlikely case customers have customized the configuration to manually enable HTTP/2. I have also added RHOS-12 and RHOS-13, given they made container images available for haproxy and these could optionally be deployed during RHOS deployment. OpenStack Statement: All editions of RHOS ship with HTTP/2 disabled on all haproxy instances by default, so are not impacted by this flaw. Customers who have customised their deployments to enable HTTP/2 should ensure they update haproxy and haproxy containers.
Upstream Commit: http://git.haproxy.org/?p=haproxy.git;a=commitdiff;h=a01f45e3ced23c799f6e78b5efdbd32198a75354
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:0275 https://access.redhat.com/errata/RHSA-2019:0275
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:0548 https://access.redhat.com/errata/RHSA-2019:0548
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:0547 https://access.redhat.com/errata/RHSA-2019:0547
Statement: HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw, see [1]. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled. Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7. [1] http://www.haproxy.org/news.html [2] https://github.com/openshift/origin/pull/19968 [3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html