Bug 2231370 (CVE-2023-40225) - CVE-2023-40225 haproxy: Proxy forwards malformed empty Content-Length headers
Summary: CVE-2023-40225 haproxy: Proxy forwards malformed empty Content-Length headers
Keywords:
Status: NEW
Alias: CVE-2023-40225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2231372 2231384 2231371 2231381 2231382 2231383
Blocks: 2231385
TreeView+ depends on / blocked
 
Reported: 2023-08-11 12:29 UTC by Pedro Sampaio
Modified: 2024-03-05 18:15 UTC (History)
26 users (show)

Fixed In Version: haproxy 2.6.15, haproxy 2.7.10, haproxy 2.8.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HAProxy. Empty Content-Length headers are forwarded, which could cause an HTTP/1 server behind it to interpret the payload as an extra request. This may render the HTTP/1 server vulnerable to attacks in some uncommon cases.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:28:22 UTC
Red Hat Product Errata RHSA-2023:7473 0 None None None 2023-11-29 12:08:22 UTC
Red Hat Product Errata RHSA-2023:7606 0 None None None 2023-12-06 00:50:02 UTC
Red Hat Product Errata RHSA-2024:0200 0 None None None 2024-01-17 19:23:48 UTC
Red Hat Product Errata RHSA-2024:0308 0 None None None 2024-01-24 21:04:31 UTC
Red Hat Product Errata RHSA-2024:1089 0 None None None 2024-03-05 08:17:41 UTC
Red Hat Product Errata RHSA-2024:1142 0 None None None 2024-03-05 18:15:40 UTC

Description Pedro Sampaio 2023-08-11 12:29:49 UTC
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

References:

https://www.haproxy.org/download/2.8/src/CHANGELOG
https://www.haproxy.org/download/2.6/src/CHANGELOG
https://github.com/haproxy/haproxy/issues/2237
https://www.haproxy.org/download/2.7/src/CHANGELOG
https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856

Comment 1 Pedro Sampaio 2023-08-11 12:33:45 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 2231371]


Created haproxy18 tracking bugs for this issue:

Affects: epel-7 [bug 2231372]

Comment 5 Robert Scheck 2023-08-13 08:36:38 UTC
Please note that HAProxy versions before version 2.0, e.g. 1.8 as shipped in RHEL 8 or 1.5 as shipped in RHEL 7, are also affected. See https://github.com/haproxy/haproxy/issues/2237#issuecomment-1676113850 (and comment replies) for more details.

Comment 9 errata-xmlrpc 2023-11-29 12:08:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7473 https://access.redhat.com/errata/RHSA-2023:7473

Comment 10 errata-xmlrpc 2023-12-06 00:50:00 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:7606 https://access.redhat.com/errata/RHSA-2023:7606

Comment 11 errata-xmlrpc 2024-01-17 19:23:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0200 https://access.redhat.com/errata/RHSA-2024:0200

Comment 12 errata-xmlrpc 2024-01-24 21:04:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2024:0308 https://access.redhat.com/errata/RHSA-2024:0308

Comment 14 errata-xmlrpc 2024-02-27 22:28:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201

Comment 15 errata-xmlrpc 2024-03-05 08:17:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1089 https://access.redhat.com/errata/RHSA-2024:1089

Comment 16 errata-xmlrpc 2024-03-05 18:15:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1142 https://access.redhat.com/errata/RHSA-2024:1142


Note You need to log in before you can comment on or make changes to this bug.