CVE-2023-40225
Publication date 10 August 2023
Last updated 24 July 2024
Ubuntu priority
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Mitigation
frontend can reject requests with empty content-length header with the following rule http-request deny if { hdr_len(content-length) 0 }
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| haproxy | ||
| 22.04 LTS jammy |
Fixed 2.4.22-0ubuntu0.22.04.2
|
|
| 20.04 LTS focal |
Fixed 2.0.31-0ubuntu0.2
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored |
Notes
rodrigo-zaiden
affected content-length headers parses were added in v1.9, with HTX mode. legacy mode in v2.0 and before has the correct check. hence, Ubuntu releases older than focal are not affected. there is a followup commit to handle a specific corner case where leading zeroes on content-length are being preserved, and a bogus server could take it as a prefix, that being commit 22731762. upstream stated that the leading zeroes situation can still happen in versions older than v1.9, it could be addressed in v2.0+ (with HTX) but it is not feasible for older versions due to the way values are indexed. (more information on bug link)
Patch details
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.2 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6294-1
- HAProxy vulnerability
- 16 August 2023
- USN-6294-2
- HAProxy vulnerability
- 17 August 2023