Описание
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
A flaw was discovered in the HPACK decoder of haproxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
Отчет
HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled. Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7. [1] http://www.haproxy.org/news.html [2] https://github.com/openshift/origin/pull/19968 [3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html
Меры по смягчению последствий
HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1]. [1] https://github.com/openshift/origin/pull/19968
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | haproxy | Not affected | ||
| Red Hat Enterprise Linux 7 | haproxy | Not affected | ||
| Red Hat Enterprise Linux 8 | haproxy | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | haproxy | Not affected | ||
| Red Hat OpenShift Container Platform 3.7 | haproxy | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | haproxy | Fixed | RHSA-2018:2709 | 11.11.2018 |
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift | Fixed | RHBA-2019:0028 | 10.01.2019 |
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift-dockerregistry | Fixed | RHBA-2019:0028 | 10.01.2019 |
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift-web-console | Fixed | RHBA-2019:0028 | 10.01.2019 |
| Red Hat OpenShift Container Platform 3.9 | golang-github-prometheus-node_exporter | Fixed | RHBA-2019:0028 | 10.01.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, ...
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
Уязвимость HPACK декодера серверного программного обеспечения HAProxy, связанная с чтением за допустимыми границами буфера данных, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3