Table of Contents
HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw, see . OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, . Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, . OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.
Versions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.
CVSS v3 metrics
|CVSS3 Base Score||7.5|
|CVSS3 Base Metrics||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
Red Hat Security Errata
|Red Hat OpenShift Container Platform 3.10 (haproxy)||RHSA-2019:0548||2019-03-14|
|Red Hat OpenShift Container Platform 3.9 (haproxy)||RHSA-2019:0547||2019-03-14|
|Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-haproxy18-haproxy)||RHSA-2019:0275||2019-02-05|
|Red Hat OpenShift Container Platform 3.11 (haproxy)||RHBA-2019:0326||2019-02-20|
Affected Packages State
|Red Hat OpenStack Platform 14.0 (Rocky)||openstack-haproxy-container||Affected|
|Red Hat OpenStack Platform 13.0 (Queens)||openstack-haproxy-container||Affected|
|Red Hat OpenStack Platform 12.0||openstack-haproxy-container||Affected|
|Red Hat OpenShift Container Platform 4.1||haproxy||Not affected|
|Red Hat OpenShift Container Platform 3.7||haproxy||Not affected|
|Red Hat Enterprise Linux 8||haproxy||Not affected|
|Red Hat Enterprise Linux 7||haproxy||Not affected|
|Red Hat Enterprise Linux 6||haproxy||Not affected|
HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, .
CVE description copyright © 2017, The MITRE Corporation