[SB 20.08] RCE in HAPROXY (CVE-2020-11100)

On Thursday, 2020-04-02 the HAProxy-Team announced an update to HAProxy because of a vulnerability in the HPACK-decoder used for HTTP/2 which may lead to which cause memory corruption, leading to a crash or potential remote arbitrary code execution, when sending a crafted HTTP/2 - request.

Affected: version 1.8 and above

HAProxy is packaged with Openshift-Plattform, but the attack-surfaced is limited, according to this bugzilla-page:

OpenShift Container Platform versions through 4.3 contain the vulnerable code; exploitation requires setting ROUTER_USE_HTTP2 in the OpenShift Ingress Operator, which is not currently possible. The impact of this vulnerability is therefore reduced in OCP 4.x, prior to version 4.4, to low.

OpenShift Container Platform 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy. However, it is not enabled by default on that version.



There is no configuration-based workaround for 2.1 and above. src


HAProxy is widely used and usually well maintained; so we expect a huge ammount of affected systems (460.000 installations indexed)


The Bug was discovered by Google's ProjectZero.


Fragen? Kontakt: info@zero.bs