A flaw was found in haproxy. Anybody who can add a "set-cookie2 X=Y" header into the return path from their server/backend will kill haproxy in 2.2 (and onwards), resulting in a denial of service.
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 2059440]
patch: https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:1021 https://access.redhat.com/errata/RHSA-2022:1021
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0711
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:1153 https://access.redhat.com/errata/RHSA-2022:1153
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:1336 https://access.redhat.com/errata/RHSA-2022:1336
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:1620 https://access.redhat.com/errata/RHSA-2022:1620