HAProxy HTTP Request Processing Denial of Service
HAProxy HTTP Request Processing Denial of Service Vulnerability
Release Date : 2013-04-04
Criticality level : Less critical
Impact : DoS
Where : From remote
Solution Status: Vendor Patch
A vulnerability has been reported in HAProxy, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the HTTP content inspection mechanism when processing HTTP requests and can be exploited to crash the service via specially crafted request.
Successful exploitation requires HTTP keep-alive to be enabled, HTTP inspection in TCP rules to be used, and usage of request appending rules (e.g. reqadd or x-forwarded-for).
The vulnerability is reported in versions prior to 1.4.23.
Update to version 1.4.23.
Provided and/or discovered by:
The vendor credits Yves Lafon, W3C.