HAProxy HTTP Request Processing Denial of Service

by Carol~ Moderator - 4/4/13 8:11 AM

In Reply to: VULNERABILITIES / FIXES - April 04, 2013 by Carol~ Moderator

HAProxy HTTP Request Processing Denial of Service Vulnerability

Release Date : 2013-04-04

Criticality level : Less critical
Impact : DoS
Where : From remote
Solution Status: Vendor Patch

Software:
HAProxy 1.4.x
HAProxy 1.5.x

Description:
A vulnerability has been reported in HAProxy, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the HTTP content inspection mechanism when processing HTTP requests and can be exploited to crash the service via specially crafted request.

Successful exploitation requires HTTP keep-alive to be enabled, HTTP inspection in TCP rules to be used, and usage of request appending rules (e.g. reqadd or x-forwarded-for).

The vulnerability is reported in versions prior to 1.4.23.

Solution:
Update to version 1.4.23.

Provided and/or discovered by:
The vendor credits Yves Lafon, W3C.

Original Advisory:
OSS:
http://openwall.com/lists/oss-security/2013/04/03/1

http://secunia.com/advisories/52725/