A flaw was found in the way HAProxy processed HTTP responses containing the Set-Cookie2 header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.
Weakness
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Haproxy | Haproxy | 2.2.0 (including) | 2.2.21 (excluding) |
| Haproxy | Haproxy | 2.3.0 (including) | 2.3.18 (excluding) |
| Haproxy | Haproxy | 2.4.0 (including) | 2.4.13 (excluding) |
| Red Hat OpenShift Container Platform 4.6 | RedHat | haproxy-0:2.0.16-3.el7 | * |
| Red Hat OpenShift Container Platform 4.7 | RedHat | haproxy-0:2.0.19-3.el7 | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | haproxy-0:2.2.13-3.el8 | * |
| Red Hat OpenShift Container Platform 4.9 | RedHat | haproxy-0:2.2.15-4.el8 | * |
| Haproxy | Ubuntu | esm-infra/focal | * |
| Haproxy | Ubuntu | focal | * |
| Haproxy | Ubuntu | impish | * |
| Haproxy | Ubuntu | trusty | * |
| Haproxy | Ubuntu | xenial | * |
References
- https://access.redhat.com/security/cve/cve-2022-0711
- https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- https://www.debian.org/security/2022/dsa-5102
- https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html
- https://access.redhat.com/security/cve/cve-2022-0711
- https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- https://www.debian.org/security/2022/dsa-5102
- https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html