Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Willy Tarreau 
On Mon, Oct 16, 2023 at 08:33:51PM +0200, Aleksandar Lazic wrote:
> 
> On 2023-10-16 (Mo.) 20:12, Lukas Tribus wrote:
> > On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic  wrote:
> > > 
> > > 
> > > 
> > > On 2023-10-16 (Mo.) 19:29,  ??? wrote:
> > > > Does 1.8 support http/2?
> > > 
> > > No.
> > 
> > Actually haproxy 1.8 supports H2 (without implementing HTX), as per
> > the documentation and announcements:
> > 
> > https://www.mail-archive.com/haproxy@formilux.org/msg28004.html
> > http://docs.haproxy.org/1.8/configuration.html#5.1-alpn
> > 
> > 
> > It does so by downgrading H2 to HTTP/1.1.
> > 
> > 
> > I don't know whether haproxy 1.8 actually is affected by the rapid
> > reset vulnerability or not. I suppose it's possible.
> 
> Well as far as I have understood the attack in a proper way, is the request
> in HTTP/2 mode and stay in that Mode, which isn't the case in 1.8. As you
> already mentioned was in 1.8 the HTTP/2 request "converted" into HTTP/1 and
> 1.9 is the first version which supports end2end HTTP/2.

As Lukas said, in 1.8 H2 is transcoded to HTTP/1.1. It was the very
first implementation. The architecture was different (and overly
complicated due to the limited abilities by then). Most H2 events
would make synchronous calls to the upper layers which would in turn
make synchronous calls downwards. The RST_STREAM does call a ->recv()
and a ->wake() callbacks. It could be possible that due to this, by
chance it was not affected but that would be pure luck, not a design
decision. I'll need to run some tests on it to know.

Quite frankly, given the numerous limitations of H2 in 1.8, I strongly
doubt anyone interested in H2 uses it on 1.8, so if it were to be
affected and if a trivial fix couldn't be figured, suggesting to disable
it could remain a sane option.

Regards,
Willy

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic 



On 2023-10-16 (Mo.) 20:12, Lukas Tribus wrote:

On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic  wrote:




On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:

Does 1.8 support http/2?


No.


Actually haproxy 1.8 supports H2 (without implementing HTX), as per
the documentation and announcements:

https://www.mail-archive.com/haproxy@formilux.org/msg28004.html
http://docs.haproxy.org/1.8/configuration.html#5.1-alpn


It does so by downgrading H2 to HTTP/1.1.


I don't know whether haproxy 1.8 actually is affected by the rapid
reset vulnerability or not. I suppose it's possible.


Well as far as I have understood the attack in a proper way, is the 
request in HTTP/2 mode and stay in that Mode, which isn't the case in 
1.8. As you already mentioned was in 1.8 the HTTP/2 request "converted" 
into HTTP/1 and 1.9 is the first version which supports end2end HTTP/2.


To be more precise here the quote from above announcement

```

  - HTTP/2 will not schedule a graceful connection shutdown anymore when
seeing a "Connection: close" header in a response. Instead a new HTTP
action "reject" has been implemented to work like its TCP counter-part.
```

This implies that the connection does not stay open and the attack could 
not work.

But maybe there is a better explanation why 1.8 is not affected.


Lukas


Regards
Alex

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic 

Hi .

On 2023-10-16 (Mo.) 19:55, Ryan O'Hara wrote:
I wondered exactly the same thing, but then saw this on the haproxy.org 
website:


"version 1.8 : multi-threading, HTTP/2, cache, on-the fly server 
addition/removal, seamless reloads, DNS SRV, hardware SSL engines, ..."


I know that haproxy-1.9 added end-to-end HTTP/2, so is that the 
determining factor? here? Many thanks.


Oh you are right. The 1.8 was the first one with the mux_h2.c in the 
tree. This was the first version with some first steps into HTTP/2 
world. From my point of view are the Statements from the HAProxy.com 
blog quite accurate why 1.8 is not affected with that CVE.



Ryan


Regards
Alex

On Mon, Oct 16, 2023 at 12:41 PM Aleksandar Lazic > wrote:




On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
 > Does 1.8 support http/2?

No.

 > On Mon, Oct 16, 2023, 18:58 Ryan O'Hara mailto:roh...@redhat.com>
 > >> wrote:
 >
 >     Hi all.
 >
 >     I read the most recently HAProxy Newsletter, specifically the
 >     article "HAProxy is Not Affected by the HTTP/2 Rapid Reset
Attack"
 >     by Nick Ramirez [1]. A This article states that HAProxy
versions 1.9
 >     and later are *not* affetced, which is great. This implies that
 >     haproxy-1.8 *is* affected, but it also doesn't come right out and
 >     say that. I understand haproxy-1.8 is EOL, but do we know for
 >     certain that haproxy-1.8 is affected or not? Asking for a reason.
 >
 >     And shout-out to Nick for writing such a great article! Thank
you, Nick!
 >
 >     Ryan
 >
 >     [1]
 >

https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
 

 
>
 >

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Lukas Tribus 
On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic  wrote:
>
>
>
> On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
> > Does 1.8 support http/2?
>
> No.

Actually haproxy 1.8 supports H2 (without implementing HTX), as per
the documentation and announcements:

https://www.mail-archive.com/haproxy@formilux.org/msg28004.html
http://docs.haproxy.org/1.8/configuration.html#5.1-alpn


It does so by downgrading H2 to HTTP/1.1.


I don't know whether haproxy 1.8 actually is affected by the rapid
reset vulnerability or not. I suppose it's possible.

Lukas

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Ryan O'Hara 
I wondered exactly the same thing, but then saw this on the haproxy.org
website:

"version 1.8 : multi-threading, HTTP/2, cache, on-the fly server
addition/removal,
seamless reloads, DNS SRV, hardware SSL engines, ..."

I know that haproxy-1.9 added end-to-end HTTP/2, so is that the
determining factor? here? Many thanks.

Ryan




On Mon, Oct 16, 2023 at 12:41 PM Aleksandar Lazic 
wrote:

>
>
> On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
> > Does 1.8 support http/2?
>
> No.
>
> > On Mon, Oct 16, 2023, 18:58 Ryan O'Hara  > > wrote:
> >
> > Hi all.
> >
> > I read the most recently HAProxy Newsletter, specifically the
> > article "HAProxy is Not Affected by the HTTP/2 Rapid Reset Attack"
> > by Nick Ramirez [1]. A This article states that HAProxy versions 1.9
> > and later are *not* affetced, which is great. This implies that
> > haproxy-1.8 *is* affected, but it also doesn't come right out and
> > say that. I understand haproxy-1.8 is EOL, but do we know for
> > certain that haproxy-1.8 is affected or not? Asking for a reason.
> >
> > And shout-out to Nick for writing such a great article! Thank you,
> Nick!
> >
> > Ryan
> >
> > [1]
> >
> https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
> <
> https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
> >
> >
>
>

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic 




On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:

Does 1.8 support http/2?


No.

On Mon, Oct 16, 2023, 18:58 Ryan O'Hara > wrote:


Hi all.

I read the most recently HAProxy Newsletter, specifically the
article "HAProxy is Not Affected by the HTTP/2 Rapid Reset Attack"
by Nick Ramirez [1]. A This article states that HAProxy versions 1.9
and later are *not* affetced, which is great. This implies that
haproxy-1.8 *is* affected, but it also doesn't come right out and
say that. I understand haproxy-1.8 is EOL, but do we know for
certain that haproxy-1.8 is affected or not? Asking for a reason.

And shout-out to Nick for writing such a great article! Thank you, Nick!

Ryan

[1]

https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Илья Шипицин 
Does 1.8 support http/2?

On Mon, Oct 16, 2023, 18:58 Ryan O'Hara  wrote:

> Hi all.
>
> I read the most recently HAProxy Newsletter, specifically the article "HAProxy
> is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick Ramirez [1]. A
> This article states that HAProxy versions 1.9 and later are *not* affetced,
> which is great. This implies that haproxy-1.8 *is* affected, but it also
> doesn't come right out and say that. I understand haproxy-1.8 is EOL, but
> do we know for certain that haproxy-1.8 is affected or not? Asking for a
> reason.
>
> And shout-out to Nick for writing such a great article! Thank you, Nick!
>
> Ryan
>
> [1]
> https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
>

Re: CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Aleksandar Lazic 

Hi Ryan.

On 2023-10-16 (Mo.) 17:49, Ryan O'Hara wrote:

Hi all.

I read the most recently HAProxy Newsletter, specifically the article 
"HAProxy is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick 
Ramirez [1]. A This article states that HAProxy versions 1.9 and later 
are *not* affetced, which is great. This implies that haproxy-1.8 *is* 
affected, but it also doesn't come right out and say that. I understand 
haproxy-1.8 is EOL, but do we know for certain that haproxy-1.8 is 
affected or not? Asking for a reason.


Well HTX, which was the transition to HTTP/2, was implemented in 1.9 
which is the reason why 1.8 is not affected.


https://www.haproxy.com/blog/haproxy-1-9-has-arrived


And shout-out to Nick for writing such a great article! Thank you, Nick!

Ryan


Regards
Alex

[1] 
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487

CVE-2023-44487 and haproxy-1.8

2023-10-16 Thread Ryan O'Hara 
Hi all.

I read the most recently HAProxy Newsletter, specifically the article "HAProxy
is Not Affected by the HTTP/2 Rapid Reset Attack" by Nick Ramirez [1]. A
This article states that HAProxy versions 1.9 and later are *not* affetced,
which is great. This implies that haproxy-1.8 *is* affected, but it also
doesn't come right out and say that. I understand haproxy-1.8 is EOL, but
do we know for certain that haproxy-1.8 is affected or not? Asking for a
reason.

And shout-out to Nick for writing such a great article! Thank you, Nick!

Ryan

[1]
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487