HAProxy vulnerable to HTTP Request Smuggling

Started by sorano, September 08, 2021, 06:55:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 08, 2021, 06:55:51 PM
Just a heads up to my fellow HAProxy users.
HAProxy has a vulnerability that is quite nasty, see the following github link for mitigation until a fixed version is available:

https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
October 01, 2021, 02:36:19 PM #1
Hi,

Is there a guide somewhere on how to apply the workaround, or has this already been resolved in the  21.7.3_3 update which I'm already running?

Thanks

Gareth
October 01, 2021, 08:32:23 PM #2
This was fixed in 21.7.3 but forgotten in the release notes.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
October 05, 2021, 09:08:35 AM #3
Since HAProxy is not part of our core plugin maintainers need to write release notes for their plugins and those are properly linked in the release notes if updates exist. As of now, no maintainer writes release notes for binary package updates. It is what it is.


Cheers,
Franco
October 06, 2021, 06:01:36 PM #4
Hi Franco,

No worries on that, just wanted to check if there was anything else I needed to do.

Thanks very much for the help guys :)

Gareth
October 07, 2021, 08:32:42 AM #5
Usually the FreeBSD security audit works, but it was broken for two weeks which made it a little harder to know what was actually fixed and what was not beyond the scope of our release notes:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258802

Also our nightly builds offer audit capability over all binary packages we provide (not just core dependencies):

https://nightly.opnsense.org/22.1/amd64/logs/202110060005/11-audit-OpenSSL.log.err

Quote>>> The following vulnerable packages exist:
consul-1.9.9 is vulnerable
redis-6.2.5_1 is vulnerable
*** Error code 1

Long story short it's best to ask for help here if the situation is unclear. I just wanted to comment on the "forgotten" part that this was actually not the case because out of immediate scope.  :)


Cheers,
Franco
Print
Go Up Pages1
User actions