Bug 1196408 - (CVE-2022-0711) VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
VUL-0: CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-02-24 08:22 UTC by Robert Frohl
Modified: 2022-07-06 07:15 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-02-24 08:22:20 UTC

A flaw was found in haproxy. Anybody who can add a "set-cookie2 X=Y" header into the return path from their server/backend will kill haproxy in 2.2 (and onwards), resulting in a denial of service.

Comment 4 Peter Varkoly 2022-03-08 07:43:34 UTC
Comment 5 Peter Varkoly 2022-03-08 07:47:24 UTC
make update to latest 2.4
Comment 6 Peter Varkoly 2022-03-08 07:49:00 UTC
merge: origin/v2.4.8 - not something we can merge
Already up to date.
Comment 7 Gianluca Gabrielli 2022-03-08 08:09:43 UTC
According to the patch [0] v2.4.8 is still vulnerable.

I checked the source code of the following packages:
 - SUSE:SLE-12-SP2:Update/haproxy  1.6.15
 - SUSE:SLE-12-SP5:Update/haproxy  1.6.15
 - SUSE:SLE-15-SP1:Update/haproxy  2.0.14
 - SUSE:SLE-15-SP2:Update/haproxy  2.0.14
 - SUSE:SLE-15-SP4:Update/haproxy  2.4.8+git0.d1f8d41e0
 - SUSE:SLE-15:Update/haproxy      2.0.14
 - openSUSE:Factory/haproxy        2.5.4+git0.e55ab4208

openSUSE:Factory/haproxy-2.5.4+git0.e55ab4208 already contains the patch, while SUSE:SLE-15-SP4:Update/haproxy does not. All the other codestreams are not affected.

Please backport the above-mentioned patch to SUSE:SLE-15-SP4:Update/haproxy.

And please _do not_ close security-related issues yourself, instead reassign them back to security-team@suse.de

[0] https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
Comment 9 Gianluca Gabrielli 2022-03-21 10:37:42 UTC
Comment 10 Swamp Workflow Management 2022-07-06 07:15:48 UTC
SUSE-SU-2022:2277-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1196408
CVE References: CVE-2022-0711
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13
SUSE Linux Enterprise High Availability 15-SP4 (src):    haproxy-2.4.8+git0.d1f8d41e0-150400.3.3.13

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.