CVE-2018-14645

Impact:
Important
Public Date:
2018-09-20
CWE:
CWE-125
Bugzilla:
1630048: CVE-2018-14645 haproxy: Out-of-bounds read in HPACK decoder
A flaw was discovered in the HPACK decoder of haproxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.

Find out more about CVE-2018-14645 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.

Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.

[1] http://www.haproxy.org/news.html
[2] https://github.com/openshift/origin/pull/19968
[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-haproxy18-haproxy) RHSA-2018:2882 2018-10-08

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 3.2 ose-haproxy-router Not affected
Red Hat OpenShift Enterprise 3.10 ose-haproxy-router Affected
Red Hat OpenShift Enterprise 3.1 ose-haproxy-router Not affected
Red Hat OpenShift Enterprise 3.0 ose-haproxy-router Not affected
Red Hat OpenShift Container Platform 3.9 ose-haproxy-router Affected
Red Hat OpenShift Container Platform 3.7 ose-haproxy-router Not affected
Red Hat OpenShift Container Platform 3.6 ose-haproxy-router Not affected
Red Hat OpenShift Container Platform 3.5 ose-haproxy-router Not affected
Red Hat OpenShift Container Platform 3.4 ose-haproxy-router Not affected
Red Hat OpenShift Container Platform 3.3 ose-haproxy-router Not affected
Red Hat Enterprise Linux 7 haproxy Not affected
Red Hat Enterprise Linux 6 haproxy Not affected

Acknowledgements

Red Hat would like to thank Tim Düsterhus and Willy Tarreau for reporting this issue.

Mitigation

HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify it HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].

[1] https://github.com/openshift/origin/pull/19968

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.