Headline
CVE-2020-11100: [ANNOUNCE] haproxy-2.1.4
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
Hi,
HAProxy 2.1.4 was released on 2020/04/02. It added 99 new commits after version 2.1.3.
The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue.
There is no configuration-based workaround for 2.1 and above.
This vulnerability makes it possible under certain circumstances to write to a wide range of memory locations within the process’ heap, with the limitation that the attacker doesn’t control the absolute address, so the most likely result and by a far margin will be a process crash, but it is not possible to completely rule out the faint possibility of a remote code execution, at least in a lab-controlled environment. Felix was kind enough to agree to delay the publication of his findings to the 20th of this month in order to leave enough time to haproxy users to apply updates. But please do not wait, as it is not very difficult to figure how to exploit the bug based on the fix. Distros were notified and will also have fixes available very shortly.
Three other important fixes are present in this version:
a non-portable way of calculating a list pointer that breaks with gcc 10 unless using -fno-tree-pta. This bug results in infinite loops at random places in the code depending how the compiler decides to optimize the code.
a bug in the way TLV fields are extracted from the PROXY protocol, as they could be mistakenly looked up in the subsequent payload, even though these would have limited effects since these ones would generally be meaningless for the transported protocol, but could be used to hide a source address from logging for example.
the “tarpit” rules were partially broken in that since 1.9 they wouldn’t prevent a connection from being sent to a server while the 500 response is delivered to the client. Given that they are often used to block suspicious activity it’s problematic.
The rest is less important, but still relevant to some users. Among those noticeable I can enumerate:
the O(N^2) ACL unique-id allocator that could take several minutes to boot on certain very large configs was reworked to follow O(NlogN) instead.
the default global maxconn setting when not set in the configuration was incorrectly set to the process’ soft limit instead of the hard limit, resulting in much lower connection counts on some setups after upgrade from 1.x to 2.x. It now properly follows the hard limit.
a new thread-safe random number generator that will avoid the risk that the “uuid” sample fetch function returns the exact same UUID in several threads.
issues in HTX mode affecting filters, namely cache and compression, that could lead to data corruption.
alignment issues causing bus error on Sparc64 were addressed
fixed a rare case of possible segfault on soft-stop when a finishing thread flushes its pools while another one is freeing some elements.
Please have a look at the changelog below for a more detailed list of fixes, and do not forget to update, either from the sources or from your regular distro channels.
Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.1/src/ Git repository : http://git.haproxy.org/git/haproxy-2.1.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.1.git Changelog : http://www.haproxy.org/download/2.1/src/CHANGELOG Cyril’s HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
Complete changelog : Balvinder Singh Rawat (1): DOC: correct typo in alert message about rspirep
Bjoern Jacke (1): DOC: fix typo about no-tls-tickets
Björn Jacke (1): DOC: improve description of no-tls-tickets
Carl Henrik Lunde (1): OPTIM: startup: fast unique_id allocation for acl.
Christopher Faulet (26): BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex MINOR: http-htx: Add a function to retrieve the headers size of an HTX message MINOR: filters: Forward data only if the last filter forwards something BUG/MINOR: filters: Count HTTP headers as filtered data but don’t forward them BUG/MINOR: http-htx: Don’t return error if authority is updated without changes BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive MINOR: http-ana: Match on the path if the monitor-uri starts by a / BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data BUG/MINOR: filters: Forward everything if no data filters are called MINOR: htx: Add a function to return a block at a specific offset BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload BUG/MINOR: http-ana: Reset request analysers on a response side error BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action BUG/MINOR: http-rules: Fix a typo in the reject action function BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop MINOR: http-rules: Add a flag on redirect rules to know the rule direction MINOR: http-rules: Handle the rule direction when a redirect is evaluated BUG/MINOR: http-ana: Reset request analysers on error when waiting for response
Daniel Corbett (1): BUG/MINOR: stats: Fix color of draining servers on stats page
David Carlier (1): BUILD: on ARM, must be linked to libatomic.
Emeric Brun (1): BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
Frédéric Lécaille (1): BUG/MINOR: peers: Use after free of “peers” section.
Ilya Shipitsin (4): DOC: configuration.txt: fix various typos DOC: assorted typo fixes in the documentation and Makefile DOC: assorted typo fixes in the documentation DOC: assorted typo fixes in the documentation
Jerome Magnin (4): MINOR: ist: add an iststop() function BUG/MINOR: http: http-request replace-path duplicates the query string MINOR: listener: add so_name sample fetch BUG/MINOR: http_ana: make sure redirect flags don’t have overlapping bits
Lukas Tribus (2): BUG/MINOR: dns: ignore trailing dot DOC: ssl: clarify security implications of TLS tickets
Miroslav Zagorac (1): DOC: internals: Fix spelling errors in filters.txt
Olivier Houchard (8): BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; MINOR: mt_lists: Appease gcc. BUG/MEDIUM: pools: Always update free_list in pool_gc(). MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. BUG/MEDIUM: wdt: Don’t ignore WDTSIG and DEBUGSIG in __signal_process_queue(). MINOR: memory: Change the flush_lock to a spinlock, and don’t get it in alloc. BUG/MINOR: connections: Make sure we free the connection on failure.
Tim Duesterhus (5): CLEANUP: cfgparse: Fix type of second calloc() parameter BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch BUG/MINOR: pattern: Do not pass len = 0 to calloc() BUG/MAJOR: proxy_protocol: Properly validate TLV lengths DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
William Dauchy (1): BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat
William Lallemand (2): BUG/MINOR: peers: init bind_proc to 1 if it wasn’t initialized BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
Willy Tarreau (38): SCRIPTS: make announce-release executable again SCRIPTS: announce-release: use mutt -H instead of -i to include the draft BUG/MEDIUM: shctx: make sure to keep all blocks aligned MINOR: compiler: move CPU capabilities definition from config.h and complete them BUG/MEDIUM: ebtree: don’t set attribute packed without unaligned access support BUILD: fix recent build failure on unaligned archs BUG/MINOR: sample: fix the json converter’s endian-sensitivity BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions BUG/MINOR: connection: make sure to correctly tag local PROXY connections MINOR: compiler: add new alignment macros BUILD: ebtree: improve architecture-specific alignment BUG/MINOR: h2: reject again empty :path pseudo-headers BUG/MEDIUM: random: initialize the random pool a bit better MINOR: tools: add 64-bit rotate operators BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG MINOR: backend: use a single call to ha_random32() for the random LB algo BUG/MINOR: checks/threads: use ha_random() and not rand() BUG/MAJOR: list: fix invalid element address calculation MINOR: debug: report the task handler’s pointer relative to main BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump MINOR: haproxy: export main to ease access from debugger BUILD: tools: remove obsolete and conflicting trace() from standard.c BUG/MINOR: wdt: do not return an error when the watchdog couldn’t be enabled DOC: fix incorrect indentation of http_auth_* BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits REGTEST: make the PROXY TLV validation depend on version 2.2 BUILD: wdt: only test for SI_TKILL when compiled with thread support BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 BUG/MINOR: haproxy: always initialize sleeping_thread_mask BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping BUG/MINOR: haproxy/threads: try to make all threads leave together BUILD: makefile: fix regex syntax in ARM platform detection BUILD: makefile: fix expression again to detect ARM platform REGTESTS: use “command -v” instead of “which” REGTEST: increase timeouts on the seamless-reload test BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection BUILD: ssl: only pass unsigned chars to isspace() BUG/CRITICAL: hpack: never index a header into the headroom after wrapping