Advisory ROSA-SA-2021-1851

Software: haproxy 1.5.18
OS: Cobalt 7.9

CVE-ID: CVE-2018-10184
CVE-Crit: HIGH
CVE-DESC: An issue was found in HAProxy before 1.8.8. The length of the incoming H2 frame was checked by max_frame_size instead of checking by bufsize. Max_frame_size applies only to outgoing traffic, not incoming traffic, so if a large enough frame size is declared in the SETTINGS frame, the wrapped frame will be defragmented into a temporary dedicated buffer where the second fragment can overflow the heap by up to 16 kB . It is very unlikely that this can be used to execute code, given that buffers are very short-lived and their addresses are unrealistically predictable in a production environment, but the likelihood of immediate failure is absolutely certain.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-14645
CVE-Crit: HIGH
CVE-DESC: An error was detected in the HPACK HAProxy decoder before 1.8.14, which is used for HTTP / 2. Read access outside the valid range in hpack_valid_idx () resulted in a remote failure and denial of service.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20102
CVE-Crit: HIGH
CVE-DESC: HAProxy before version 1.8.14 detected an out-of-range read in dns_validate_dns_response in dns.c. Due to the lack of validation when validating DNS responses, remote attackers could read the 16 bytes corresponding to the AAAA record from the uninitialized portion of the buffer, possibly accessing everything left on the stack or even after the end of the record. the buffer is 8193 bytes in size, depending on the value of accept_payload_size.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20103
CVE-Crit: HIGH
CVE-DESC: An issue was found in dns.c in HAProxy before version 1.8.14. In the case of a compressed pointer, a crafted packet can run infinite recursion, forcing the pointer to point to itself, or create a long chain of valid pointers, leading to stack exhaustion.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-14241
CVE-Crit: HIGH
CVE-DESC: HAProxy before version 2.0.2 allows attackers to cause denial of service (ha_panic) using vectors associated with htx_manage_client_side_cookies in proto_htx.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-18277
CVE-Crit: HIGH
CVE-DESC: A bug has been discovered in HAProxy before 2.0.6. In legacy mode, messages with a transmission encoding header that lacked the value “fragmented” were not rejected correctly. The impact was limited, but when combined with the “http-reuse always” setting, it could be used to create an HTTP request smuggling attack against a vulnerable component using a soft parser that would ignore the content length header as soon as it saw the transmission encoding (even if it was not fully compliant with the specification).
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-19330
CVE-Crit: CRITICAL
CVE-DESC: The HTTP / 2 implementation of HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa) and null character (NUL, ASCII 0x0), also known as intermediate encapsulation attacks.
CVE-STATUS: Default
CVE-REV: default