Bug 2000599 (CVE-2021-40346) - CVE-2021-40346 haproxy: request smuggling attack or response splitting via duplicate content-length header
Summary: CVE-2021-40346 haproxy: request smuggling attack or response splitting via du...
Keywords:
Status: NEW
Alias: CVE-2021-40346
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2000621 2001963 2002703 2003162 2002411 2002412 2002753 2003180
Blocks: 1999861
TreeView+ depends on / blocked
 
Reported: 2021-09-02 13:20 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-09-29 01:56 UTC (History)
18 users (show)

Fixed In Version: haproxy 2.4.4
Doc Type: If docs needed, set a value
Doc Text:
Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while parsing an HTTP request. The highest threat from this vulnerability is integrity.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-09-02 13:20:50 UTC
A flaw was found in haproxy in versions 2.0 and later. A weakness in the HTX code allows it to bypass the check for duplicate content-length header and inject a second fake one leading to request smuggling attack or possibly a response splitting one.

Comment 3 devthomp 2021-09-08 18:09:07 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 2002411]

Comment 5 devthomp 2021-09-08 18:15:10 UTC
haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by HAProxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request. 

RHEL7 and RHEL8 are not affected by flaw:
However to mitigate this problem the following can be added to proxy config:

http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }


Note You need to log in before you can comment on or make changes to this bug.