CVE-2018-20615

Impact:
Important
Public Date:
2019-01-08
CWE:
CWE-125
Bugzilla:
1663060: CVE-2018-20615 haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash

The MITRE CVE dictionary describes this issue as:

An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame.

Find out more about CVE-2018-20615 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw, see [1]. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.

Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.

[1] http://www.haproxy.org/news.html
[2] https://github.com/openshift/origin/pull/19968
[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Container Platform 3.10 (haproxy) RHSA-2019:0548 2019-03-14
Red Hat OpenShift Container Platform 3.9 (haproxy) RHSA-2019:0547 2019-03-14
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-haproxy18-haproxy) RHSA-2019:0275 2019-02-05
Red Hat OpenShift Container Platform 3.11 (haproxy) RHBA-2019:0326 2019-02-20

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 14.0 (Rocky) openstack-haproxy-container Affected
Red Hat OpenStack Platform 13.0 (Queens) openstack-haproxy-container Affected
Red Hat OpenStack Platform 12.0 openstack-haproxy-container Affected
Red Hat OpenShift Container Platform 4.1 haproxy Not affected
Red Hat OpenShift Container Platform 3.7 haproxy Not affected
Red Hat Enterprise Linux 8 haproxy Not affected
Red Hat Enterprise Linux 7 haproxy Not affected
Red Hat Enterprise Linux 6 haproxy Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Mitigation

HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].

[1] https://github.com/openshift/origin/pull/19968

Last Modified

CVE description copyright © 2017, The MITRE Corporation