Описание
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
Отчет
To exploit this vulnerability a vulnerable backend server is required. In particular the server should incorrectly parse the Transfer-Encoding HTTP header.
This issue did not affect the versions of haproxy as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include support for http-reuse option.
Меры по смягчению последствий
- Reconsider the use of
http-reuse alwaysif possible - Disable HTTP Keep-Alive (also called HTTP Connection reuse) in the backend
- Fix the backend server to correctly parse Transfer-Encoding/Content-Length headers
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | haproxy | Not affected | ||
| Red Hat Enterprise Linux 7 | haproxy | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | haproxy | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | haproxy | Will not fix | ||
| Red Hat Enterprise Linux 8 | haproxy | Fixed | RHSA-2020:1725 | 28.04.2020 |
| Red Hat OpenShift Container Platform 3.11 | haproxy | Fixed | RHSA-2020:1287 | 07.04.2020 |
| Red Hat OpenShift Container Platform 4.4 | haproxy | Fixed | RHSA-2020:1936 | 04.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-haproxy18-haproxy | Fixed | RHSA-2020:2265 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | rh-haproxy18-haproxy | Fixed | RHSA-2020:2265 | 26.05.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-haproxy18-haproxy | Fixed | RHSA-2020:2265 | 26.05.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages fea ...
EPSS
6.5 Medium
CVSS3