A flaw was discovered in the HPACK decoder of haproxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
Find out more about CVE-2018-14645 from the MITRE CVE dictionary dictionary and NIST NVD.
HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.
Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.
[1] http://www.haproxy.org/news.html
[2] https://github.com/openshift/origin/pull/19968
[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html
CVSS3 Base Score | 7.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | None |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-haproxy18-haproxy) | RHSA-2018:2882 | 2018-10-08 |
Platform | Package | State |
---|---|---|
Red Hat OpenShift Enterprise 3.2 | ose-haproxy-router | Not affected |
Red Hat OpenShift Enterprise 3.1 | ose-haproxy-router | Not affected |
Red Hat OpenShift Enterprise 3.0 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.9 | ose-haproxy-router | Affected |
Red Hat OpenShift Container Platform 3.7 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.6 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.5 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.4 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.3 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.11 | ose-haproxy-router | Not affected |
Red Hat OpenShift Container Platform 3.10 | ose-haproxy-router | Affected |
Red Hat Enterprise Linux 7 | haproxy | Not affected |
Red Hat Enterprise Linux 6 | haproxy | Not affected |
HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].
[1] https://github.com/openshift/origin/pull/19968