OCPBUGS-17653: haproxy/template: mitigate CVE-2023-40225 #505
Conversation
Mitigation rule taken from the HAProxy 2.6.15 release announcement: https://www.mail-archive.com/haproxy@formilux.org/msg43864.html And quoting from the release notes: the check for invalid characters on content-length header values doesn't reject empty headers, which can pass through. And since they don't have a value, they're not merged with next ones, so it is possible to pass a request that has both an empty content-length and a populated one. Such requests are invalid and the vast majority of servers will reject them. But there are certainly still a few non-compliant servers that will only look at one of them, considering the empty value equals zero and be fooled with this. Thus the problem is not as much for mainstream users as for those who develop their own HTTP stack or who purposely use haproxy to protect a known-vulnerable server, because these ones may be at risk. This issue was reported by Ben Kallus of Dartmouth College and Narf Industries. A CVE was filed for this one. There is a work-around, though: simply rejecting requests containing an empty content-length header will do the job.
openshift-ci-robot
added
the
jira/valid-reference
|
@frobware: This pull request references Jira Issue OCPBUGS-17653, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-bug
|
Thanks! /hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
approved
|
Looks good. |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@frobware: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/cherry-pick release-4.13 |
|
@frobware: Jira Issue OCPBUGS-17653: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-17653 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@Miciah: new pull request created: #506 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@Miciah: new pull request could not be created: failed to create pull request against openshift/router#release-4.13 from head openshift-cherrypick-robot:cherry-pick-505-to-release-4.13: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for openshift-cherrypick-robot:cherry-pick-505-to-release-4.13."}],"documentation_url":"https://docs.github.com/rest/pulls/pulls#create-a-pull-request"} In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.12 |
|
@Miciah: new pull request created: #507 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.11 |
|
@Miciah: new pull request created: #509 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Mitigation rule taken from the HAProxy 2.6.15 release announcement:
https://www.mail-archive.com/haproxy@formilux.org/msg43864.html
And quoting from the release notes:
the check for invalid characters on content-length header values
doesn't reject empty headers, which can pass through. And since they
don't have a value, they're not merged with next ones, so it is
possible to pass a request that has both an empty content-length and
a populated one. Such requests are invalid and the vast majority of
servers will reject them. But there are certainly still a few
non-compliant servers that will only look at one of them,
considering the empty value equals zero and be fooled with this.
Thus the problem is not as much for mainstream users as for those
who develop their own HTTP stack or who purposely use haproxy to
protect a known-vulnerable server, because these ones may be at
risk. This issue was reported by Ben Kallus of Dartmouth College and
Narf Industries. A CVE was filed for this one. There is a
work-around, though: simply rejecting requests containing an empty
content-length header will do the job.