Bug 1154980 - (CVE-2019-18277) VUL-0: CVE-2019-18277: haproxy: HTTP smuggling in messages with transfer-encoding header missing the "chunked" value
(CVE-2019-18277)
VUL-0: CVE-2019-18277: haproxy: HTTP smuggling in messages with transfer-enco...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Varkoly
Security Team bot
https://smash.suse.de/issue/245603/
CVSSv3:SUSE:CVE-2019-18277:5.9:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-24 11:58 UTC by Alexandros Toptsoglou
Modified: 2021-04-08 15:46 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-10-24 11:58:26 UTC
CVE-2019-18277

A flaw was found in haproxy before version 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value was not being correctly rejected. The impact was limited but if combined with "http-reuse always", it could be used as an help to construct a content smuggling attack against a vulnerable component employing a lenient parser which would ignore the content-length header as soon as it sees a transfer-encoding one, without even parsing it.

References:

https://www.mail-archive.com/haproxy@formilux.org/msg34926.html
https://nathandavison.com/blog/haproxy-http-request-smuggling

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1759697
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18277
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18277.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18277
https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
https://nathandavison.com/blog/haproxy-http-request-smuggling
https://www.mail-archive.com/haproxy@formilux.org/msg34926.html
Comment 1 Alexandros Toptsoglou 2019-10-24 12:02:54 UTC
Tracked as affected the following codestreams: 

SUSE:SLE-12-SP1
SUSE:SLE-12-SP2
SUSE:SLE-15-SP1
SUSE:SLE-15


Fix for 1.6 at [1] seems to apply also to 1.5 
Fix for 1.8 at [2] 

[1] https://git.haproxy.org/?p=haproxy-1.6.git;a=commit;h=76dd4aef279030761f0c466b6d6af5a0852c86aa
[2] https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3
Comment 4 Swamp Workflow Management 2019-11-25 17:30:05 UTC
This is an autogenerated message for OBS integration:
This bug (1154980) was mentioned in
https://build.opensuse.org/request/show/750826 Factory / haproxy
Comment 5 Swamp Workflow Management 2019-11-25 18:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1154980) was mentioned in
https://build.opensuse.org/request/show/750840 Factory / haproxy
Comment 9 Swamp Workflow Management 2019-11-29 20:12:11 UTC
SUSE-SU-2019:3126-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1154980,1157712,1157714
CVE References: CVE-2019-18277
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    haproxy-2.0.10+git0.ac198b92-8.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-11-29 20:13:18 UTC
SUSE-SU-2019:3125-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1154980,1157712,1157714
CVE References: CVE-2019-18277
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    haproxy-2.0.10+git0.ac198b92-3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-12-03 23:15:25 UTC
openSUSE-SU-2019:2626-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1154980,1157712,1157714
CVE References: CVE-2019-18277
Sources used:
openSUSE Leap 15.0 (src):    haproxy-2.0.10+git0.ac198b92-lp150.2.16.1
Comment 12 Swamp Workflow Management 2019-12-04 23:15:27 UTC
openSUSE-SU-2019:2645-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1154980,1157712,1157714
CVE References: CVE-2019-18277
Sources used:
openSUSE Leap 15.1 (src):    haproxy-2.0.10+git0.ac198b92-lp151.2.6.1
Comment 13 Swamp Workflow Management 2019-12-12 20:12:19 UTC
SUSE-SU-2019:3288-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1154980
CVE References: CVE-2019-18277
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud Crowbar 8 (src):    haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud 9 (src):    haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud 8 (src):    haproxy-1.6.11-11.3.1
SUSE OpenStack Cloud 7 (src):    haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    haproxy-1.6.11-11.3.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    haproxy-1.6.11-11.3.1
HPE Helion Openstack 8 (src):    haproxy-1.6.11-11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Alexandros Toptsoglou 2021-04-08 15:46:19 UTC
Done