21.7.2 - need to upgrade HAPROXY to 2.2.17 to fix CVE-2021-40346

Started by nzkiwi68, September 08, 2021, 11:35:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 08, 2021, 11:35:09 PM
HAPROXY reports September/2021 – CVE-2021-40346: Duplicate 'Content-Length' Header Fixed
https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Can we pleas update the HAPROXY package to v2.2.17

Thanks!
September 09, 2021, 08:45:29 AM #1
Do you known when the latest version came out? Do you know how much time it takes to prepare a new one?

For the business edition micro-managing CVEs is certainly a possibility but for the community edition I think adoption rate is fast enough as it is with the usual complains of too many updates in mind.


Cheers,
Franco
September 09, 2021, 09:38:46 AM #2
You dont need to upgrade. You can use the mitigations instead.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
September 10, 2021, 10:35:39 AM #3
Hi Sorano,

how can I apply the two mitigation strings indicated at the end of the article directly from the plugin configuration GUI?

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Thanks
September 10, 2021, 01:20:18 PM #4
Quote from: fabiodanzetta on September 10, 2021, 10:35:39 AM
Hi Sorano,

how can I apply the two mitigation strings indicated at the end of the article directly from the plugin configuration GUI?

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Thanks

Hi.

Here is how you can do it:
https://docs.opnsense.org/manual/how-tos/haproxy.html#third-step-configure-conditions
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
September 11, 2021, 05:29:54 AM #5
Quote from: franco on September 09, 2021, 08:45:29 AM
Do you known when the latest version came out? Do you know how much time it takes to prepare a new one?

I am sorry, I meant no offense. I merely wished to inform, as I use HAPROXY on OPNsense extensively, and that you may not have seen the CVE.

And, no, I don't know the actual effort required to prepare a new HAPROXY package, but, I merely hoped to advise and have this added to the ever growing list of things to be done.

Yes, it looks like there was very little notice.

Lastly, let me say a big thanks to you all of the many contributors to OPNsense. You do amazing work.


September 11, 2021, 05:43:49 AM #6
Quote from: sorano on September 10, 2021, 01:20:18 PM
Quote from: fabiodanzetta on September 10, 2021, 10:35:39 AM
Hi Sorano,

how can I apply the two mitigation strings indicated at the end of the article directly from the plugin configuration GUI?

1. Services > HAPROXY > Settings
2. Virtual Services > Public Services (these are your frontends)
3. Edit your public service (or services)
4. Be sure enable "advanced mode" at the top
5. Scroll down, under "Advanced settings", "Option pass-through" add these lines:

Code Select
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }




September 13, 2021, 04:39:10 PM #7
Hi Nzkiwi68,

Thank you very much, for the precise indication.
Can you also tell me how I could test everything maybe even using if there is any tool?

Thanks again.
September 14, 2021, 12:46:36 AM #8
If your asking to test the work around as posted by HAPROXY, I can't see any guidance on how to test it.

For myself, I trust that the vendor's workaround is correct. If you want more assurance including some sort of test (which could involve crafting a malicious header), that's not something I'd every try.

Perhaps you could go back to HAPROXY and post on their forums to ask for information, it's certainly well beyond the scope of OPNsense.

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/
September 14, 2021, 07:45:28 AM #9
Quote from: nzkiwi68 on September 11, 2021, 05:29:54 AM
I am sorry, I meant no offense. I merely wished to inform, as I use HAPROXY on OPNsense extensively, and that you may not have seen the CVE.

No worries, I just want to explain. In a good release where there are no package errors from ports tree it takes 48 hours for build, upload, test, document and release. Doing this twice in one week is possible but not much else is getting done then.

In such cases where a release cycle started and then later a CVE is released even before the release the question is always: abort or continue? In most cases it's better to continue instead of delay the release since this particular issue isn't the only one that needs to be taken care of.

So there is always the next version or you can build from the ports tree yourself in the meantime:

# opnsense-code ports
# cd /usr/ports/net/haproxy22
# make reinstall


Cheers,
Franco
September 14, 2021, 10:00:18 AM #10
Quote from: nzkiwi68 on September 14, 2021, 12:46:36 AM
If your asking to test the work around as posted by HAPROXY, I can't see any guidance on how to test it.

For myself, I trust that the vendor's workaround is correct. If you want more assurance including some sort of test (which could involve crafting a malicious header), that's not something I'd every try.

Perhaps you could go back to HAPROXY and post on their forums to ask for information, it's certainly well beyond the scope of OPNsense.

https://www.haproxy.com/blog/september-2021-duplicate-content-length-header-fixed/

Hello,

thanks again for all the support.
Print
Go Up Pages1
User actions