SB2021081816 - Multiple vulnerabilities in HAProxy
Published: August 18, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2021-39242)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP headers. A remote attacker can send a specially crafted Host header to the application and bypass implemented security restrictions.
2) Input validation error (CVE-ID: CVE-2021-39241)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in HAProxy. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
The attacker can abuse such behavior to bypass implemented security restrictions and perform unauthorized actions against the web application behind the HAProxy.
3) Input validation error (CVE-ID: CVE-2021-39240)
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP/2 requests. HAProxy does not ensure that the scheme and path portions of a URI have the expected characters, e.g. the authority field on a target HTTP/2 server might differ from what the routing rules were intended to achieve.
A remote attacker can send specially crafted input to the application and bypass implemented security restrictions.
Remediation
Install update from vendor's website.
References
- https://www.mail-archive.com/haproxy@formilux.org/msg41041.html
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=89265224d314a056d77d974284802c1b8a0dc97f
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=a495e0d94876c9d39763db319f609351907a31e8
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=4b8852c70d8c4b7e225e24eb58258a15eb54c26e