CVE-2023-40225

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

Read the notes from the security team

Mitigation

frontend can reject requests with empty content-length header with the following rule http-request deny if { hdr_len(content-length) 0 }

Status

Show unmaintained releases

Package	Ubuntu Release	Status
haproxy	23.10 mantic	Fixed 2.6.15-1ubuntu1
	23.04 lunar	Fixed 2.6.9-1ubuntu1.1
	22.04 LTS jammy	Fixed 2.4.22-0ubuntu0.22.04.2
	20.04 LTS focal	Fixed 2.0.31-0ubuntu0.2
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Ignored end of standard support

Notes

rodrigo-zaiden

affected content-length headers parses were added in v1.9, with HTX mode. legacy mode in v2.0 and before has the correct check. hence, Ubuntu releases older than focal are not affected. there is a followup commit to handle a specific corner case where leading zeroes on content-length are being preserved, and a bogus server could take it as a prefix, that being commit 22731762. upstream stated that the leading zeroes situation can still happen in versions older than v1.9, it could be addressed in v2.0+ (with HTX) but it is not feasible for older versions due to the way values are indexed. (more information on bug link)

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
haproxy	Upstream: http://git.haproxy.org/?p=haproxy.git;a=commit;h=6492f1f29d738457ea9f382aca54537f35f9d856 Upstream: http://git.haproxy.org/?p=haproxy.git;a=commit;h=22731762d9fe2c98d9e6c3942b1568266b23c69f Upstream: http://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=d17c50010d591d1c070e1cb0567a06032d8869e9 Upstream: http://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=e2e464018fda41758bd42d3bcd6ac623c88a110e Upstream: http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=ba9afd2774c03e434165475b537d0462801f49bb Upstream: http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=c48acd15011dc6c66977bc088065693f430821df Upstream: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=4b400110a58da1aa58d58d6371875a3a64c0cff6 Upstream: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=a90ecde20e53bb26a677b42f53db42900097af9a

Package

Patch details

haproxy

Severity score breakdown

Parameter	Value
Base score	7.2 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE-2023-40225

Cvss 3 Severity Score

Mitigation

Status

Notes

rodrigo-zaiden

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references