Hi everyone,
Right after the previous announce of HTTP/2 vulnerabilities, a group
of security researchers from JFrog Security have been looking for the
possibility of remaining issues around the same topic. While there was
nothing directly exploitable, Ori Hollander found a bug in the HTTP
header name length encoding in the HTX representation by which the most
significant bit of the name's length can slip into the value's least
significant bit, and figured he could craft a valid request that could
inject a dummy content-length on input that would be produced on output
in addition to the other one, resulting in the possibility of a blind
request smuggling attack ("blind" because the response never gets back
to the attacker). Quite honestly they've done an excellent job at
spotting this one because it's not every day that you manage to turn
a single-bit overflow into an extra request, and figuring this required
to dig deeply into the layers! It's likely that they'll publish something
shortly about their finding.
CVE-2021-40346 was assigned to this issue, which affects versions 2.0
and above. I'm going to emit new maintenance releases for 2.0, 2.2, 2.3
and 2.4 (2.5 still being in development, it will be released a bit later).
A possible workaround for those who cannot upgrade is to block requests
and responses featuring more than one content-length header after the
overflow occured; these ones are always invalid because they're always
resolved during the parsing phase, hence this condition never reaches
the HTTP layer:
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }
I'd like to thank the usual distro maintainers for having accepted to
produce yet another version of their packages in a short time. Hopefully
now we can all get back to development!
Thanks,
Willy
