Willy, Am 02.04.20 um 15:03 schrieb Willy Tarreau: > The main driver for this release is that it contains a fix for a serious > vulnerability that was responsibly reported last week by Felix Wilhelm > from Google Project Zero, affecting the HPACK decoder used for HTTP/2. > CVE-2020-11100 was assigned to this issue. > > There is no configuration-based workaround for 2.1 and above. > > This vulnerability makes it possible under certain circumstances to write > to a wide range of memory locations within the process' heap, with the > limitation that the attacker doesn't control the absolute address, so the > most likely result and by a far margin will be a process crash, but it is > not possible to completely rule out the faint possibility of a remote code > execution, at least in a lab-controlled environment. Felix was kind enough > to agree to delay the publication of his findings to the 20th of this month > in order to leave enough time to haproxy users to apply updates. But please > do not wait, as it is not very difficult to figure how to exploit the bug > based on the fix. Distros were notified and will also have fixes available > very shortly. >
The write-up is available now: https://bugs.chromium.org/p/project-zero/issues/detail?id=2023 It has a "Methodology-Fuzzing" label, so after CVE-2018-14645 and CVE-2018-20615 this is the 3rd CVE within H2 found using fuzzing that I'm aware of. It probably won't be the last. Can we please allocate some resources on making HAProxy more fuzzer friendly after 2.2 is out? I would also be interested in how Felix Wilhelm performed the fuzzing, do you happen to have details about that? Best regards Tim Düsterhus
