{"id": "ORACLELINUX_ELSA-2020-1288.NASL", "bulletinFamily": "scanner", "title": "Oracle Linux 8 : haproxy (ELSA-2020-1288)", "description": "From Red Hat Security Advisory 2020:1288 :\n\nThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:1288 advisory.\n\n - haproxy: malformed HTTP/2 requests can lead to out-of-\n bounds writes (CVE-2020-11100)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "published": "2020-04-06T00:00:00", "modified": "2020-04-06T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/135217", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://oss.oracle.com/pipermail/el-errata/2020-April/009768.html"], "cvelist": ["CVE-2020-11100"], "type": "nessus", "lastseen": "2020-09-14T17:30:25", "edition": 5, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-11100"]}, {"type": "attackerkb", "idList": ["AKB:C5CC4A41-B317-4A5B-9310-C01A4499BC3C"]}, {"type": "fedora", "idList": ["FEDORA:A914260C3A69", "FEDORA:CB25B6076D1C"]}, {"type": "archlinux", "idList": ["ASA-202004-7"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4321-1.NASL", "GENTOO_GLSA-202012-22.NASL", "OPENSUSE-2020-444.NASL", "PHOTONOS_PHSA-2020-3_0-0078_HAPROXY.NASL", "DEBIAN_DSA-4649.NASL", "REDHAT-RHSA-2020-1289.NASL", "FEDORA_2020-16CD111544.NASL", "EULEROS_SA-2020-1709.NASL", "REDHAT-RHSA-2020-1288.NASL", "PHOTONOS_PHSA-2020-1_0-0289_HAPROXY.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0444-1"]}, {"type": "redhat", "idList": ["RHSA-2020:1287", "RHSA-2020:1289", "RHSA-2020:1290", "RHSA-2020:1936", "RHSA-2020:1288"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310877689", "OPENVAS:1361412562311220201580", "OPENVAS:1361412562310853095", "OPENVAS:1361412562310704649", "OPENVAS:1361412562311220201709", "OPENVAS:1361412562310844389", "OPENVAS:1361412562310877719"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4649-1:8F93A"]}, {"type": "freebsd", "idList": ["7F829D44-7509-11EA-B47C-589CFC0F81B0"]}, {"type": "ubuntu", "idList": ["USN-4321-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-1288", "ELSA-2020-1725"]}, {"type": "gentoo", "idList": ["GLSA-202012-22"]}], "modified": "2020-09-14T17:30:25", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2020-09-14T17:30:25", "rev": 2}, "vulnersScore": 6.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1288 and \n# Oracle Linux Security Advisory ELSA-2020-1288 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135217);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/05\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"RHSA\", value:\"2020:1288\");\n\n script_name(english:\"Oracle Linux 8 : haproxy (ELSA-2020-1288)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2020:1288 :\n\nThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:1288 advisory.\n\n - haproxy: malformed HTTP/2 requests can lead to out-of-\n bounds writes (CVE-2020-11100)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2020-April/009768.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected haproxy package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"haproxy-1.8.15-6.el8_1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "naslFamily": "Oracle Linux Local Security Checks", "pluginID": "135217", "cpe": ["p-cpe:/a:oracle:linux:haproxy", "cpe:/o:oracle:linux:8"], "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scheme": null}

{"attackerkb": [{"lastseen": "2020-12-24T21:20:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-11100"], "description": "In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.\n\n \n**Recent assessments:** \n \n**3dcyber** at April 23, 2020 1:18pm UTC reported:\n\nThis vulnerability affects HAProxy and does not require prior authentication as indicated by the CVSS score. Hopefully there is an update to the CVSS.\n\nThis vulnerability allows RCE when HTTP2 is enabled on HAProxy. There is a PoC exploit created by the researcher who discovered the vulnerability.\n\n**Note that in some solutions HTTP2 on HAProxy may be enabled by default.**\n\nTo defend against this vulnerability:\n\n * HAproxy patches can be applied. \n\n * As workaroud you can disable HTTP2.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4\n", "modified": "2020-06-05T00:00:00", "published": "2020-04-02T00:00:00", "id": "AKB:C5CC4A41-B317-4A5B-9310-C01A4499BC3C", "href": "https://attackerkb.com/topics/K7LEEf39Jp/cve-2020-11100", "type": "attackerkb", "title": "CVE-2020-11100", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-25T13:57:23", "description": "In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.", "edition": 15, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-02T15:15:00", "title": "CVE-2020-11100", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11100"], "modified": "2020-12-24T16:15:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/a:redhat:openshift_container_platform:4.0", "cpe:/a:redhat:openshift_container_platform:3.11"], "id": "CVE-2020-11100", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11100", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to backup servers in the event a main one fails - accept connections to special ports dedicated to service monitoring - stop accepting connections without breaking existing ones - add, modify, and delete HTTP headers in both directions - block requests matching particular patterns - report detailed status to authenticated users from a URI intercepted from the application ", "modified": "2020-04-11T21:51:58", "published": "2020-04-11T21:51:58", "id": "FEDORA:CB25B6076D1C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: haproxy-1.8.25-1.fc30", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to backup servers in the event a main one fails - accept connections to special ports dedicated to service monitoring - stop accepting connections without breaking existing ones - add, modify, and delete HTTP headers in both directions - block requests matching particular patterns - report detailed status to authenticated users from a URI intercepted from the application ", "modified": "2020-04-28T02:56:24", "published": "2020-04-28T02:56:24", "id": "FEDORA:A914260C3A69", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: haproxy-2.0.14-1.fc31", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:39", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "Arch Linux Security Advisory ASA-202004-7\n=========================================\n\nSeverity: Critical\nDate : 2020-04-08\nCVE-ID : CVE-2020-11100\nPackage : haproxy\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1124\n\nSummary\n=======\n\nThe package haproxy before version 2.1.4-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 2.1.4-1.\n\n# pacman -Syu \"haproxy>=2.1.4-1\"\n\nThe problem has been fixed upstream in version 2.1.4.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn out-of-bounds memory write has been found in HAProxy before 2.1.4,\nin the HPACK table management code.\n\nImpact\n======\n\nA remote attacker might be able to execute code via a crafted HTTP/2\nrequest.\n\nReferences\n==========\n\nhttps://git.haproxy.org/?p=haproxy-2.1.git;a=commitdiff;h=f17f86304f187b0f10ca6a8d46346afd9851a543;hp=dd6f0b1a74fb1241d276484f3c4aced513a95b78\nhttps://security.archlinux.org/CVE-2020-11100", "modified": "2020-04-08T00:00:00", "published": "2020-04-08T00:00:00", "id": "ASA-202004-7", "href": "https://security.archlinux.org/ASA-202004-7", "type": "archlinux", "title": "[ASA-202004-7] haproxy: arbitrary code execution", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-04-30T07:08:00", "description": "An update of the haproxy package has been released.", "edition": 2, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-21T00:00:00", "title": "Photon OS 3.0: Haproxy PHSA-2020-3.0-0078", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-21T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:haproxy", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0078_HAPROXY.NASL", "href": "https://www.tenable.com/plugins/nessus/135781", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0078. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135781);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/23\");\n\n script_cve_id(\"CVE-2020-11100\");\n\n script_name(english:\"Photon OS 3.0: Haproxy PHSA-2020-3.0-0078\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the haproxy package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-78.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11100\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 3.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"haproxy-2.0.10-2.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"haproxy-debuginfo-2.0.10-2.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", cpu:\"x86_64\", reference:\"haproxy-doc-2.0.10-2.ph3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-11-19T05:28:59", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1289 advisory.\n\n - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {}, "published": "2020-04-02T00:00:00", "title": "RHEL 8 : haproxy (RHSA-2020:1289)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource", "p-cpe:/a:redhat:enterprise_linux:haproxy", "cpe:/a:redhat:rhel_e4s:8.0::appstream", "cpe:/o:redhat:rhel_e4s:8.0"], "id": "REDHAT-RHSA-2020-1289.NASL", "href": "https://www.tenable.com/plugins/nessus/135184", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1289. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135184);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"RHSA\", value:\"2020:1289\");\n\n script_name(english:\"RHEL 8 : haproxy (RHSA-2020:1289)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1289 advisory.\n\n - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11100\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1289\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1819111\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected haproxy and / or haproxy-debugsource packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"Critical\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11100\");\n script_cwe_id(20, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.0::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_8_0_appstream': [\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:1289');\n}\n\npkgs = [\n {'reference':'haproxy-1.8.15-5.el8_0.1', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']},\n {'reference':'haproxy-1.8.15-5.el8_0.1', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']},\n {'reference':'haproxy-1.8.15-5.el8_0.1', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']},\n {'reference':'haproxy-debugsource-1.8.15-5.el8_0.1', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']},\n {'reference':'haproxy-debugsource-1.8.15-5.el8_0.1', 'cpu':'s390x', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']},\n {'reference':'haproxy-debugsource-1.8.15-5.el8_0.1', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy / haproxy-debugsource');\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T07:40:26", "description": "Felix Wilhelm of Google Project Zero discovered that HAProxy, a\nTCP/HTTP reverse proxy, did not properly handle HTTP/2 headers. This\nwould allow an attacker to write arbitrary bytes around a certain\nlocation on the heap, resulting in denial-of-service or potential\narbitrary code execution.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "Debian DSA-4649-1 : haproxy - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-14T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:haproxy"], "id": "DEBIAN_DSA-4649.NASL", "href": "https://www.tenable.com/plugins/nessus/135416", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4649. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135416);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"DSA\", value:\"4649\");\n\n script_name(english:\"Debian DSA-4649-1 : haproxy - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Felix Wilhelm of Google Project Zero discovered that HAProxy, a\nTCP/HTTP reverse proxy, did not properly handle HTTP/2 headers. This\nwould allow an attacker to write arbitrary bytes around a certain\nlocation on the heap, resulting in denial-of-service or potential\narbitrary code execution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/haproxy\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/haproxy\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4649\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the haproxy packages.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.8.19-1+deb10u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"haproxy\", reference:\"1.8.19-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"haproxy-doc\", reference:\"1.8.19-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"vim-haproxy\", reference:\"1.8.19-1+deb10u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T08:21:42", "description": "Security fix for CVE-2020-11100)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-14T00:00:00", "title": "Fedora 30 : haproxy (2020-16cd111544)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-14T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:haproxy", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2020-16CD111544.NASL", "href": "https://www.tenable.com/plugins/nessus/135418", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-16cd111544.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135418);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"FEDORA\", value:\"2020-16cd111544\");\n\n script_name(english:\"Fedora 30 : haproxy (2020-16cd111544)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2020-11100)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-16cd111544\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected haproxy package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"haproxy-1.8.25-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T15:05:25", "description": "An update of the haproxy package has been released.", "edition": 2, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-28T00:00:00", "title": "Photon OS 1.0: Haproxy PHSA-2020-1.0-0289", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-28T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:haproxy", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0289_HAPROXY.NASL", "href": "https://www.tenable.com/plugins/nessus/136032", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0289. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136032);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/29\");\n\n script_cve_id(\"CVE-2020-11100\");\n\n script_name(english:\"Photon OS 1.0: Haproxy PHSA-2020-1.0-0289\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the haproxy package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-289.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11100\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"haproxy-2.0.10-2.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"haproxy-debuginfo-2.0.10-2.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", cpu:\"x86_64\", reference:\"haproxy-doc-2.0.10-2.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T09:04:59", "description": "According to the version of the haproxy package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerability :\n\n - In hpack_dht_insert in hpack-tbl.c in the HPACK decoder\n in HAProxy 1.8 through 2.x before 2.1.4, a remote\n attacker can write arbitrary bytes around a certain\n location on the heap via a crafted HTTP/2 request,\n possibly causing remote code execution.(CVE-2020-11100)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-06-25T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.6.0 : haproxy (EulerOS-SA-2020-1709)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-06-25T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:haproxy"], "id": "EULEROS_SA-2020-1709.NASL", "href": "https://www.tenable.com/plugins/nessus/137816", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137816);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2020-11100\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.6.0 : haproxy (EulerOS-SA-2020-1709)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the haproxy package installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerability :\n\n - In hpack_dht_insert in hpack-tbl.c in the HPACK decoder\n in HAProxy 1.8 through 2.x before 2.1.4, a remote\n attacker can write arbitrary bytes around a certain\n location on the heap via a crafted HTTP/2 request,\n possibly causing remote code execution.(CVE-2020-11100)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1709\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?480cbf98\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected haproxy package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"haproxy-1.8.14-1.h2.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T11:40:17", "description": "Felix Wilhelm discovered that HAProxy incorrectly handled certain\nHTTP/2 requests. An attacker could possibly use this to execute\narbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 3, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-08T00:00:00", "title": "Ubuntu 18.04 LTS / 19.10 : haproxy vulnerability (USN-4321-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-08T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:haproxy", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.10"], "id": "UBUNTU_USN-4321-1.NASL", "href": "https://www.tenable.com/plugins/nessus/135282", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4321-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135282);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"USN\", value:\"4321-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 19.10 : haproxy vulnerability (USN-4321-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Felix Wilhelm discovered that HAProxy incorrectly handled certain\nHTTP/2 requests. An attacker could possibly use this to execute\narbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4321-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected haproxy package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|19\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04 / 19.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"haproxy\", pkgver:\"1.8.8-1ubuntu0.10\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"haproxy\", pkgver:\"2.0.5-1ubuntu0.4\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"haproxy\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T08:33:07", "description": "The HAproxy Project reports :\n\nThe main driver for this release is that it contains a fix for a\nserious vulnerability that was responsibly reported last week by Felix\nWilhelm from Google Project Zero, affecting the HPACK decoder used for\nHTTP/2. CVE-2020-11100 was assigned to this issue.", "edition": 5, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-03T00:00:00", "title": "FreeBSD : HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2 (7f829d44-7509-11ea-b47c-589cfc0f81b0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-03T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:haproxy", "p-cpe:/a:freebsd:freebsd:haproxy19", "p-cpe:/a:freebsd:freebsd:haproxy18", "p-cpe:/a:freebsd:freebsd:haproxy21"], "id": "FREEBSD_PKG_7F829D44750911EAB47C589CFC0F81B0.NASL", "href": "https://www.tenable.com/plugins/nessus/135192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135192);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/24\");\n\n script_cve_id(\"CVE-2020-11100\");\n\n script_name(english:\"FreeBSD : HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2 (7f829d44-7509-11ea-b47c-589cfc0f81b0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The HAproxy Project reports :\n\nThe main driver for this release is that it contains a fix for a\nserious vulnerability that was responsibly reported last week by Felix\nWilhelm from Google Project Zero, affecting the HPACK decoder used for\nHTTP/2. CVE-2020-11100 was assigned to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mail-archive.com/haproxy@formilux.org/msg36876.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mail-archive.com/haproxy@formilux.org/msg36877.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mail-archive.com/haproxy@formilux.org/msg36878.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mail-archive.com/haproxy@formilux.org/msg36879.html\"\n );\n # https://vuxml.freebsd.org/freebsd/7f829d44-7509-11ea-b47c-589cfc0f81b0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bd694e5b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:haproxy18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:haproxy19\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:haproxy21\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"haproxy>=2.0.0<2.0.14\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"haproxy18>=1.8.0<1.8.25\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"haproxy19>=1.9.0<1.9.15\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"haproxy21>=2.1.0<2.1.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-11-19T05:28:59", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1288 advisory.\n\n - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 4, "cvss3": {}, "published": "2020-04-02T00:00:00", "title": "RHEL 8 : haproxy (RHSA-2020:1288)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-04-02T00:00:00", "cpe": ["cpe:/o:redhat:rhel_eus:8.1", "p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource", "cpe:/o:redhat:rhel_tus:8.2", "cpe:/a:redhat:rhel_eus:8.1::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/o:redhat:rhel_eus:8.4", "p-cpe:/a:redhat:enterprise_linux:haproxy", "cpe:/a:redhat:rhel_eus:8.4::appstream", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_e4s:8.1", "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.1::appstream", "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:rhel_aus:8.2", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/a:redhat:rhel_eus:8.2::appstream"], "id": "REDHAT-RHSA-2020-1288.NASL", "href": "https://www.tenable.com/plugins/nessus/135183", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:1288. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135183);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"RHSA\", value:\"2020:1288\");\n\n script_name(english:\"RHEL 8 : haproxy (RHSA-2020:1288)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1288 advisory.\n\n - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11100\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:1288\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1819111\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected haproxy and / or haproxy-debugsource packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"Critical\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11100\");\n script_cwe_id(20, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_aus:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.1::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.1::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.4::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_tus:8.2::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_8_appstream': [\n 'rhel-8-for-aarch64-appstream-debug-rpms',\n 'rhel-8-for-aarch64-appstream-rpms',\n 'rhel-8-for-aarch64-appstream-source-rpms',\n 'rhel-8-for-s390x-appstream-debug-rpms',\n 'rhel-8-for-s390x-appstream-rpms',\n 'rhel-8-for-s390x-appstream-source-rpms',\n 'rhel-8-for-x86_64-appstream-debug-rpms',\n 'rhel-8-for-x86_64-appstream-rpms',\n 'rhel-8-for-x86_64-appstream-source-rpms'\n ],\n 'rhel_e4s_8_1_appstream': [\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms'\n ],\n 'rhel_eus_8_1_appstream': [\n 'rhel-8-for-aarch64-appstream-eus-debug-rpms',\n 'rhel-8-for-aarch64-appstream-eus-rpms',\n 'rhel-8-for-aarch64-appstream-eus-source-rpms',\n 'rhel-8-for-s390x-appstream-eus-debug-rpms',\n 'rhel-8-for-s390x-appstream-eus-rpms',\n 'rhel-8-for-s390x-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms',\n 'rhel-8-for-x86_64-appstream-eus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-eus-rpms',\n 'rhel-8-for-x86_64-appstream-eus-source-rpms'\n ],\n 'rhel_eus_8_2_appstream': [\n 'rhel-8-for-aarch64-appstream-eus-debug-rpms',\n 'rhel-8-for-aarch64-appstream-eus-rpms',\n 'rhel-8-for-aarch64-appstream-eus-source-rpms',\n 'rhel-8-for-s390x-appstream-eus-debug-rpms',\n 'rhel-8-for-s390x-appstream-eus-rpms',\n 'rhel-8-for-s390x-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-aus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-aus-rpms',\n 'rhel-8-for-x86_64-appstream-aus-source-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms',\n 'rhel-8-for-x86_64-appstream-eus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-eus-rpms',\n 'rhel-8-for-x86_64-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-tus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-tus-rpms',\n 'rhel-8-for-x86_64-appstream-tus-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:1288');\n}\n\npkgs = [\n {'reference':'haproxy-1.8.15-6.el8_1.1', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_8_appstream', 'rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream', 'rhel_eus_8_2_appstream']},\n {'reference':'haproxy-1.8.15-6.el8_1.1', 'cpu':'s390x', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_8_appstream', 'rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream', 'rhel_eus_8_2_appstream']},\n {'reference':'haproxy-1.8.15-6.el8_1.1', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_8_appstream', 'rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream', 'rhel_eus_8_2_appstream']},\n {'reference':'haproxy-debugsource-1.8.15-6.el8_1.1', 'cpu':'aarch64', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_8_appstream', 'rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream', 'rhel_eus_8_2_appstream']},\n {'reference':'haproxy-debugsource-1.8.15-6.el8_1.1', 'cpu':'s390x', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_8_appstream', 'rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream', 'rhel_eus_8_2_appstream']},\n {'reference':'haproxy-debugsource-1.8.15-6.el8_1.1', 'cpu':'x86_64', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_8_appstream', 'rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream', 'rhel_eus_8_2_appstream']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy / haproxy-debugsource');\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-12-31T11:18:26", "description": "The remote host is affected by the vulnerability described in GLSA-202012-22\n(HAProxy: Arbitrary code execution)\n\n It was discovered that HAProxy incorrectly handled certain HTTP/2\n headers.\n \nImpact :\n\n A remote attacker, by sending a specially crafted HTTP/2 request, could\n possibly execute arbitrary code with the privileges of the process, or\n cause a Denial of Service condition.\n \nWorkaround :\n\n Disable HTTP/2 support.", "edition": 2, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-12-28T00:00:00", "title": "GLSA-202012-22 : HAProxy: Arbitrary code execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "modified": "2020-12-28T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:haproxy", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202012-22.NASL", "href": "https://www.tenable.com/plugins/nessus/144610", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202012-22.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144610);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/30\");\n\n script_cve_id(\"CVE-2020-11100\");\n script_xref(name:\"GLSA\", value:\"202012-22\");\n\n script_name(english:\"GLSA-202012-22 : HAProxy: Arbitrary code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202012-22\n(HAProxy: Arbitrary code execution)\n\n It was discovered that HAProxy incorrectly handled certain HTTP/2\n headers.\n \nImpact :\n\n A remote attacker, by sending a specially crafted HTTP/2 request, could\n possibly execute arbitrary code with the privileges of the process, or\n cause a Denial of Service condition.\n \nWorkaround :\n\n Disable HTTP/2 support.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202012-22\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All HAProxy 2.0.x users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-proxy/haproxy-2.0.13:0/2.0'\n All other HAProxy users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-proxy/haproxy-2.1.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:haproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-proxy/haproxy\", unaffected:make_list(\"ge 2.0.13\", \"ge 2.1.4\"), vulnerable:make_list(\"lt 2.1.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"HAProxy\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2020-04-04T16:38:37", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "This update for haproxy fixes the following issues:\n\n - CVE-2020-11100: Fixed an H2/HPAC vulnerability ch might have allowed\n arbitrary writes into a 32-bit relative address space (bsc#1168023).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n", "edition": 1, "modified": "2020-04-04T15:12:49", "published": "2020-04-04T15:12:49", "id": "OPENSUSE-SU-2020:0444-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html", "title": "Security update for haproxy (important)", "type": "suse", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-04-15T15:05:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the ", "modified": "2020-04-14T00:00:00", "published": "2020-04-14T00:00:00", "id": "OPENVAS:1361412562310704649", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704649", "type": "openvas", "title": "Debian: Security Advisory for haproxy (DSA-4649-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704649\");\n script_version(\"2020-04-14T03:00:15+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-14 03:00:15 +0000 (Tue, 14 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-14 03:00:15 +0000 (Tue, 14 Apr 2020)\");\n script_name(\"Debian: Security Advisory for haproxy (DSA-4649-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB10\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4649.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4649-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'haproxy'\n package(s) announced via the DSA-4649-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Felix Wilhelm of Google Project Zero discovered that HAProxy, a TCP/HTTP\nreverse proxy, did not properly handle HTTP/2 headers. This would allow\nan attacker to write arbitrary bytes around a certain location on the\nheap, resulting in denial-of-service or potential arbitrary code\nexecution.\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (buster), this problem has been fixed in\nversion 1.8.19-1+deb10u2.\n\nWe recommend that you upgrade your haproxy packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"haproxy\", ver:\"1.8.19-1+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"haproxy-doc\", ver:\"1.8.19-1+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"vim-haproxy\", ver:\"1.8.19-1+deb10u2\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-15T15:03:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the ", "modified": "2020-04-10T00:00:00", "published": "2020-04-08T00:00:00", "id": "OPENVAS:1361412562310844389", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844389", "type": "openvas", "title": "Ubuntu: Security Advisory for haproxy (USN-4321-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844389\");\n script_version(\"2020-04-10T03:46:49+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-10 03:46:49 +0000 (Fri, 10 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-08 03:00:30 +0000 (Wed, 08 Apr 2020)\");\n script_name(\"Ubuntu: Security Advisory for haproxy (USN-4321-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU19\\.10|UBUNTU18\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4321-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-April/005383.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'haproxy'\n package(s) announced via the USN-4321-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Felix Wilhelm discovered that HAProxy incorrectly handled certain HTTP/2 requests.\nAn attacker could possibly use this to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on Ubuntu 19.10, Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"haproxy\", ver:\"2.0.5-1ubuntu0.4\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"haproxy\", ver:\"1.8.8-1ubuntu0.10\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-06-29T17:54:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-06-26T00:00:00", "published": "2020-06-26T00:00:00", "id": "OPENVAS:1361412562311220201709", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201709", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for haproxy (EulerOS-SA-2020-1709)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1709\");\n script_version(\"2020-06-26T07:27:50+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-26 07:27:50 +0000 (Fri, 26 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-26 07:27:50 +0000 (Fri, 26 Jun 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for haproxy (EulerOS-SA-2020-1709)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.6\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1709\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1709\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'haproxy' package(s) announced via the EulerOS-SA-2020-1709 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.(CVE-2020-11100)\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.6.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.6.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy\", rpm:\"haproxy~1.8.14~1.h2.eulerosv2r8\", rls:\"EULEROSVIRTARM64-3.0.6.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-05-28T13:43:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-05-26T00:00:00", "published": "2020-05-26T00:00:00", "id": "OPENVAS:1361412562311220201580", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201580", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for haproxy (EulerOS-SA-2020-1580)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1580\");\n script_version(\"2020-05-26T05:45:29+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-26 05:45:29 +0000 (Tue, 26 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-26 05:45:29 +0000 (Tue, 26 May 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for haproxy (EulerOS-SA-2020-1580)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1580\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1580\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'haproxy' package(s) announced via the EulerOS-SA-2020-1580 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.(CVE-2020-11100)\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy\", rpm:\"haproxy~1.8.14~1.h2.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-15T14:41:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the ", "modified": "2020-04-07T00:00:00", "published": "2020-04-05T00:00:00", "id": "OPENVAS:1361412562310853095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853095", "type": "openvas", "title": "openSUSE: Security Advisory for haproxy (openSUSE-SU-2020:0444-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853095\");\n script_version(\"2020-04-07T12:33:10+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-07 12:33:10 +0000 (Tue, 07 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-05 03:00:41 +0000 (Sun, 05 Apr 2020)\");\n script_name(\"openSUSE: Security Advisory for haproxy (openSUSE-SU-2020:0444-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0444-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'haproxy'\n package(s) announced via the openSUSE-SU-2020:0444-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for haproxy fixes the following issues:\n\n - CVE-2020-11100: Fixed an H2/HPAC vulnerability ch might have allowed\n arbitrary writes into a 32-bit relative address space (bsc#1168023).\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-444=1\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy\", rpm:\"haproxy~2.0.10+git0.ac198b92~lp151.2.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy-debuginfo\", rpm:\"haproxy-debuginfo~2.0.10+git0.ac198b92~lp151.2.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy-debugsource\", rpm:\"haproxy-debugsource~2.0.10+git0.ac198b92~lp151.2.9.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-05-06T01:00:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the ", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "OPENVAS:1361412562310877719", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877719", "type": "openvas", "title": "Fedora: Security Advisory for haproxy (FEDORA-2020-13fd8b1721)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877719\");\n script_version(\"2020-04-30T08:51:29+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 08:51:29 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-30 03:14:30 +0000 (Thu, 30 Apr 2020)\");\n script_name(\"Fedora: Security Advisory for haproxy (FEDORA-2020-13fd8b1721)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2020-13fd8b1721\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/264C7UL3X7L7QE74ZJ557IOUFS3J4QQC\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'haproxy'\n package(s) announced via the FEDORA-2020-13fd8b1721 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high\navailability environments. Indeed, it can:\n\n - route HTTP requests depending on statically assigned cookies\n\n - spread load among several servers while assuring server persistence\n through the use of HTTP cookies\n\n - switch to backup servers in the event a main one fails\n\n - accept connections to special ports dedicated to service monitoring\n\n - stop accepting connections without breaking existing ones\n\n - add, modify, and delete HTTP headers in both directions\n\n - block requests matching particular patterns\n\n - report detailed status to authenticated users from a URI\n intercepted from the application\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy\", rpm:\"haproxy~2.0.14~1.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-22T15:06:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11100"], "description": "The remote host is missing an update for the ", "modified": "2020-04-21T00:00:00", "published": "2020-04-12T00:00:00", "id": "OPENVAS:1361412562310877689", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877689", "type": "openvas", "title": "Fedora: Security Advisory for haproxy (FEDORA-2020-16cd111544)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877689\");\n script_version(\"2020-04-21T09:23:28+0000\");\n script_cve_id(\"CVE-2020-11100\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-21 09:23:28 +0000 (Tue, 21 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-12 03:15:56 +0000 (Sun, 12 Apr 2020)\");\n script_name(\"Fedora: Security Advisory for haproxy (FEDORA-2020-16cd111544)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2020-16cd111544\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNW5RZLIX7LOXRLV7WMHX22CI43XSXKW\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'haproxy'\n package(s) announced via the FEDORA-2020-16cd111544 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high\navailability environments. Indeed, it can:\n\n - route HTTP requests depending on statically assigned cookies\n\n - spread load among several servers while assuring server persistence\n through the use of HTTP cookies\n\n - switch to backup servers in the event a main one fails\n\n - accept connections to special ports dedicated to service monitoring\n\n - stop accepting connections without breaking existing ones\n\n - add, modify, and delete HTTP headers in both directions\n\n - block requests matching particular patterns\n\n - report detailed status to authenticated users from a URI\n intercepted from the application\");\n\n script_tag(name:\"affected\", value:\"'haproxy' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"haproxy\", rpm:\"haproxy~1.8.25~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:55:32", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4649-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nApril 02, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : haproxy\nCVE ID : CVE-2020-11100\n\nFelix Wilhelm of Google Project Zero discovered that HAProxy, a TCP/HTTP\nreverse proxy, did not properly handle HTTP/2 headers. This would allow\nan attacker to write arbitrary bytes around a certain location on the\nheap, resulting in denial-of-service or potential arbitrary code\nexecution.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.8.19-1+deb10u2.\n\nWe recommend that you upgrade your haproxy packages.\n\nFor the detailed security status of haproxy please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/haproxy\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 6, "modified": "2020-04-02T13:13:49", "published": "2020-04-02T13:13:49", "id": "DEBIAN:DSA-4649-1:8F93A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00052.html", "title": "[SECURITY] [DSA 4649-1] haproxy security update", "type": "debian", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2020-04-04T12:37:41", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "\nThe HAproxy Project reports:\n\nThe main driver for this release is that it contains a fix for a serious\n\t vulnerability that was responsibly reported last week by Felix Wilhelm\n\t from Google Project Zero, affecting the HPACK decoder used for HTTP/2.\n\t CVE-2020-11100 was assigned to this issue.\n\n", "edition": 2, "modified": "2020-04-02T00:00:00", "published": "2020-04-02T00:00:00", "id": "7F829D44-7509-11EA-B47C-589CFC0F81B0", "href": "https://vuxml.freebsd.org/freebsd/7f829d44-7509-11ea-b47c-589cfc0f81b0.html", "title": "HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2", "type": "freebsd", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:58", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "Felix Wilhelm discovered that HAProxy incorrectly handled certain HTTP/2 requests. \nAn attacker could possibly use this to execute arbitrary code.", "edition": 2, "modified": "2020-04-07T00:00:00", "published": "2020-04-07T00:00:00", "id": "USN-4321-1", "href": "https://ubuntu.com/security/notices/USN-4321-1", "title": "HAProxy vulnerability", "type": "ubuntu", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2020-04-04T12:44:21", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "[1.8.15-6.1]\n- - Fix hapack zero byte input causing overwrite (CVE-2020-11100, #1819518)\n[1.8.15-6]\n- Add gating tests (#1682106)", "edition": 2, "modified": "2020-04-02T00:00:00", "published": "2020-04-02T00:00:00", "id": "ELSA-2020-1288", "href": "http://linux.oracle.com/errata/ELSA-2020-1288.html", "title": "haproxy security update", "type": "oraclelinux", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-06-04T23:29:35", "bulletinFamily": "unix", "cvelist": ["CVE-2019-19330", "CVE-2019-18277", "CVE-2020-11100"], "description": "[1.8.23-3]\n- Fix hapack zero byte input causing overwrite (CVE-2020-11100, #1819519)\n[1.8.23-2]\n- Consider exist status 143 as success (#1778844)\n[1.8.23-1]\n- Update to 1.8.23 (#1774745)", "edition": 1, "modified": "2020-05-05T00:00:00", "published": "2020-05-05T00:00:00", "id": "ELSA-2020-1725", "href": "http://linux.oracle.com/errata/ELSA-2020-1725.html", "title": "haproxy security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2020-04-04T09:40:10", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes (CVE-2020-11100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-02T17:37:41", "published": "2020-04-02T17:18:23", "id": "RHSA-2020:1288", "href": "https://access.redhat.com/errata/RHSA-2020:1288", "type": "redhat", "title": "(RHSA-2020:1288) Critical: haproxy security update", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-04T09:41:53", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes (CVE-2020-11100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-02T17:26:50", "published": "2020-04-02T17:18:58", "id": "RHSA-2020:1289", "href": "https://access.redhat.com/errata/RHSA-2020:1289", "type": "redhat", "title": "(RHSA-2020:1289) Critical: haproxy security update", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-04T09:42:01", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments.\n\nSecurity Fix(es):\n\n* haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes (CVE-2020-11100)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-04-02T17:28:00", "published": "2020-04-02T17:14:55", "id": "RHSA-2020:1290", "href": "https://access.redhat.com/errata/RHSA-2020:1290", "type": "redhat", "title": "(RHSA-2020:1290) Critical: rh-haproxy18-haproxy security update", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-07T19:41:29", "bulletinFamily": "unix", "cvelist": ["CVE-2019-18277", "CVE-2019-19330", "CVE-2020-11100"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes (CVE-2020-11100)\n\n* haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated \"chunked\" value (CVE-2019-18277)\n\n* haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "modified": "2020-04-07T23:29:07", "published": "2020-04-07T23:28:43", "id": "RHSA-2020:1287", "href": "https://access.redhat.com/errata/RHSA-2020:1287", "type": "redhat", "title": "(RHSA-2020:1287) Critical: OpenShift Container Platform 3.11 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-05T23:13:03", "bulletinFamily": "unix", "cvelist": ["CVE-2019-18277", "CVE-2019-19330", "CVE-2020-11100"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n\n* haproxy: malformed HTTP/2 requests could lead to out-of-bounds writes (CVE-2020-11100)\n\n* haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated \"chunked\" value (CVE-2019-18277)\n\n* haproxy: HTTP/2 implementation was vulnerable to intermediary encapsulation attacks (CVE-2019-19330)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "modified": "2020-05-04T14:06:39", "published": "2020-05-04T13:53:24", "id": "RHSA-2020:1936", "href": "https://access.redhat.com/errata/RHSA-2020:1936", "type": "redhat", "title": "(RHSA-2020:1936) Moderate: OpenShift Container Platform 4.4.3 haproxy security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2020-12-24T18:26:58", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11100"], "description": "### Background\n\nHAProxy is a TCP/HTTP reverse proxy for high availability environments.\n\n### Description\n\nIt was discovered that HAProxy incorrectly handled certain HTTP/2 headers. \n\n### Impact\n\nA remote attacker, by sending a specially crafted HTTP/2 request, could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nDisable HTTP/2 support.\n\n### Resolution\n\nAll HAProxy 2.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-proxy/haproxy-2.0.13:0/2.0\"\n \n\nAll other HAProxy users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-proxy/haproxy-2.1.4\"", "edition": 1, "modified": "2020-12-24T00:00:00", "published": "2020-12-24T00:00:00", "id": "GLSA-202012-22", "href": "https://security.gentoo.org/glsa/202012-22", "title": "HAProxy: Arbitrary code execution", "type": "gentoo", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}