Hi, is HAProxy 2.0.x with "no option http-use-htx" also affected by this vulnerability?
Best regards / Mit freundlichen Grüßen Bjoern Am Di., 7. Sept. 2021 um 17:30 Uhr schrieb Willy Tarreau <[email protected]>: > Hi everyone, > > Right after the previous announce of HTTP/2 vulnerabilities, a group > of security researchers from JFrog Security have been looking for the > possibility of remaining issues around the same topic. While there was > nothing directly exploitable, Ori Hollander found a bug in the HTTP > header name length encoding in the HTX representation by which the most > significant bit of the name's length can slip into the value's least > significant bit, and figured he could craft a valid request that could > inject a dummy content-length on input that would be produced on output > in addition to the other one, resulting in the possibility of a blind > request smuggling attack ("blind" because the response never gets back > to the attacker). Quite honestly they've done an excellent job at > spotting this one because it's not every day that you manage to turn > a single-bit overflow into an extra request, and figuring this required > to dig deeply into the layers! It's likely that they'll publish something > shortly about their finding. > > CVE-2021-40346 was assigned to this issue, which affects versions 2.0 > and above. I'm going to emit new maintenance releases for 2.0, 2.2, 2.3 > and 2.4 (2.5 still being in development, it will be released a bit later). > > A possible workaround for those who cannot upgrade is to block requests > and responses featuring more than one content-length header after the > overflow occured; these ones are always invalid because they're always > resolved during the parsing phase, hence this condition never reaches > the HTTP layer: > > http-request deny if { req.hdr_cnt(content-length) gt 1 } > http-response deny if { res.hdr_cnt(content-length) gt 1 } > > I'd like to thank the usual distro maintainers for having accepted to > produce yet another version of their packages in a short time. Hopefully > now we can all get back to development! > > Thanks, > Willy > >
