{ "threat_severity" : "Important", "public_date" : "2019-01-08T00:00:00Z", "bugzilla" : { "description" : "haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash", "id" : "1663060", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1663060" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame.", "A flaw was found in HAProxy, versions before 1.8.17 and 1.9.1. Mishandling occurs when a priority flag is set on too short HEADERS frame in the HTTP/2 decoder, allowing an out-of-bounds read and a subsequent crash to occur. A remote attacker can exploit this flaw to cause a denial of service. Those who do not use HTTP/2 are unaffected." ], "statement" : "HTTP/2 support was added to haproxy in version 1.8, therefore OpenShift Container Platform (OCP) 3.7 and earlier are unaffected by this flaw, see [1]. OCP 3.11 added a configuration option to ose-haproxy-router that made enabling HTTP/2 support easy, [2]. Prior to that, in versions OCP 3.9 and 3.10, an administrator had to customize the haproxy router configuration to add HTTP/2 support, [3]. OCP 3.9, and 3.10 are rated as moderate because HTTP/2 support was not a standard configuration option, and therefore unlikely to be enabled.\nVersions of haproxy included in Red Hat Enterprise Linux 6 and 7, excluding rh-haproxy18-haproxy in Red Hat Software Collections, are unaffected as they package versions of haproxy before 1.7.\n[1] http://www.haproxy.org/news.html\n[2] https://github.com/openshift/origin/pull/19968\n[3] https://docs.openshift.com/container-platform/3.10/install_config/router/customized_haproxy_router.html", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.10", "release_date" : "2019-03-14T00:00:00Z", "advisory" : "RHSA-2019:0548", "cpe" : "cpe:/a:redhat:openshift:3.10::el7", "package" : "haproxy-0:1.8.17-3.el7", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-enterprise-service-catalog-1:3.11.82-1.git.1673.133961e.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-0:3.11.82-1.git.0.08bc31b.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-cluster-autoscaler-0:3.11.82-1.git.0.efb6af0.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-descheduler-0:3.11.82-1.git.300.89765c9.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-dockerregistry-0:3.11.82-1.git.452.0ce6383.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-metrics-server-0:3.11.82-1.git.52.2fdca3f.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-node-problem-detector-0:3.11.82-1.git.254.a448936.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-service-idler-0:3.11.82-1.git.14.e353758.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-web-console-0:3.11.82-1.git.355.5e8b1d9.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-openshift-oauth-proxy-0:3.11.82-1.git.425.7cac034.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-prometheus-alertmanager-0:3.11.82-1.git.0.3bf41ce.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-prometheus-node_exporter-0:3.11.82-1.git.1063.48444e8.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-prometheus-prometheus-0:3.11.82-1.git.5027.9d24833.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "haproxy-0:1.8.17-3.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "jenkins-0:2.150.2.1549032159-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "jenkins-2-plugins-0:3.11.1549642489-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-ansible-0:3.11.82-3.git.0.9718d0a.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-enterprise-autoheal-0:3.11.82-1.git.219.0b5aff4.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-02-20T00:00:00Z", "advisory" : "RHBA-2019:0326", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-enterprise-cluster-capacity-0:3.11.82-1.git.380.cf11c51.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "release_date" : "2019-03-14T00:00:00Z", "advisory" : "RHSA-2019:0547", "cpe" : "cpe:/a:redhat:openshift:3.9::el7", "package" : "haproxy-0:1.8.17-3.el7", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-02-05T00:00:00Z", "advisory" : "RHSA-2019:0275", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-haproxy18-haproxy-0:1.8.4-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-02-05T00:00:00Z", "advisory" : "RHSA-2019:0275", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-haproxy18-haproxy-0:1.8.4-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-02-05T00:00:00Z", "advisory" : "RHSA-2019:0275", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-haproxy18-haproxy-0:1.8.4-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-02-05T00:00:00Z", "advisory" : "RHSA-2019:0275", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-haproxy18-haproxy-0:1.8.4-4.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "haproxy", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "haproxy", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "haproxy", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Not affected", "package_name" : "haproxy", "cpe" : "cpe:/a:redhat:openshift:3.7" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "haproxy", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Out of support scope", "package_name" : "rhosp12/openstack-haproxy", "cpe" : "cpe:/a:redhat:openstack:12", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-haproxy", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 14 (Rocky)", "fix_state" : "Not affected", "package_name" : "openstack-haproxy-container", "cpe" : "cpe:/a:redhat:openstack:14", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-20615\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-20615" ], "name" : "CVE-2018-20615", "mitigation" : { "value" : "HTTP/2 support is disabled by default on OpenShift Container Platform 3.11. To mitigate this vulnerability keep it disabled. You can verify if HTTP/2 support is enabled by following the instructions in the upstream pull request, [1].\n[1] https://github.com/openshift/origin/pull/19968", "lang" : "en:us" }, "csaw" : false }