About

Critical impact integer overflow vulnerability found on HAProxy

Security research company, JFrog, has detected an integer overflow vulnerability on HAProxy. The vulnerability affects HAProxy version 2.0 or higher. Older versions of HAProxy do not show this vulnerability. This vulnerability is being tracked under CVE-2021-40346, with a CVSS score of 8.6. It was publicly reported the first time on 31st August, 2021. HAProxy was able to release patch to fix the vulnerability.

The description of the integer overflow vulnerability states –

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

What versions of HAProxy are affected with CVE-2021-40346 or integer overflow vulnerability?

The following versions of HAProxy are impacted with the CVE-2021-40346 or the integer overflow vulnerability:

Affected VersionFixed Version
HAProxy 2.02.0.25
HAProxy  2.22.2.17
HAProxy  2.32.3.14
HAProxy  2.42.4.4
HAProxy Enterprise 2.0r12.0r1-235.1230
HAProxy Enterprise 2.1r12.1r1-238.625
HAProxy Enterprise 2.2r12.2r1-241.505
HAProxy Enterprise 2.3r12.3r1-242.345
HAProxy Kubernetes Ingress Controller 1.61.6.7
HAProxy Enterprise Kubernetes Ingress Controller 1.61.6.7
HAProxy ALOHA 11.511.5.13
HAProxy ALOHA 12.512.5.5
HAProxy ALOHA 13.013.0.7

What is the mitigation for the integer overflow vulnerability – CVE-2021-40346?

The mitigation for HAProxy’s vulnerability lies in updating the software to the latest version. The fixed version is mentioned alongside the affected version in the above table.

If, an immediate update is not possible, HAProxy has issued a remediation script as given below and on their website:

frontend myfrontend
http-request deny if { req.hdr_cnt(content-length) gt 1 }
http-response deny if { res.hdr_cnt(content-length) gt 1 }

These lines reject requests or responses that have more than one Content-Length header.

Packages for vulnerability management have also been released by Debian here. The security tracker page lists the latest Debian package that can be installed to resolve the integer overflow vulnerability on HAProxy.