Bug 1196408 (CVE-2022-0711)

Summary: VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: dakechi, gianluca.gabrielli, mrueckert, smash_bz, varkoly
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/324551/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-0711:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2022-02-24 08:22:20 UTC
rh#2053666

A flaw was found in haproxy. Anybody who can add a "set-cookie2 X=Y" header into the return path from their server/backend will kill haproxy in 2.2 (and onwards), resulting in a denial of service.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2053666
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0711
Comment 4 Peter Varkoly 2022-03-08 07:43:34 UTC
done
Comment 5 Peter Varkoly 2022-03-08 07:47:24 UTC
make update to latest 2.4
Comment 6 Peter Varkoly 2022-03-08 07:49:00 UTC
3378ea683b1579bf2f791545e154b2c76d48414c
merge: origin/v2.4.8 - not something we can merge
Already up to date.
Comment 7 Gianluca Gabrielli 2022-03-08 08:09:43 UTC
According to the patch [0] v2.4.8 is still vulnerable.

I checked the source code of the following packages:
 - SUSE:SLE-12-SP2:Update/haproxy  1.6.15
 - SUSE:SLE-12-SP5:Update/haproxy  1.6.15
 - SUSE:SLE-15-SP1:Update/haproxy  2.0.14
 - SUSE:SLE-15-SP2:Update/haproxy  2.0.14
 - SUSE:SLE-15-SP4:Update/haproxy  2.4.8+git0.d1f8d41e0
 - SUSE:SLE-15:Update/haproxy      2.0.14
 - openSUSE:Factory/haproxy        2.5.4+git0.e55ab4208

openSUSE:Factory/haproxy-2.5.4+git0.e55ab4208 already contains the patch, while SUSE:SLE-15-SP4:Update/haproxy does not. All the other codestreams are not affected.

Please backport the above-mentioned patch to SUSE:SLE-15-SP4:Update/haproxy.

And please _do not_ close security-related issues yourself, instead reassign them back to security-team@suse.de


[0] https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
Comment 9 Gianluca Gabrielli 2022-03-21 10:37:42 UTC
done
Comment 10 Swamp Workflow Management 2022-07-06 07:15:48 UTC
SUSE-SU-2022:2277-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1196408
CVE References: CVE-2022-0711
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13
SUSE Linux Enterprise High Availability 15-SP4 (src):    haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.