December 2023 - CVE-2023-45539: HAProxy Accepts # as Part of the URI Component Fixed

We have received questions regarding CVE-2023-45539 issued in November 2023. The versions of our products released on Monday, 21 August 2023 to fix CVE-2023-40225 also fixed the vulnerability in CVE-2023-45539. Users who updated HAProxy in response to CVE-2023-40225 do not need to take further action.

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

In some cases the "path" sample fetch function incorrectly accepts '#' as part of the path component. This can in some cases lead to misrouted requests for rules that would apply on the suffix:

 use_backend static if { path_end .png .jpg .gif .css .js }

Nowadays most popular web servers such as Apache and NGINX will not accept invalid requests such as this, but other, non-compliant servers might.

Previously HAProxy accepted # as part of the path by default and would reject it with the "normalize" rules. With this update we reject it by default. However, it is still possible to accept it using "option accept-invalid-http-request”; if this applies to you, please reach out to Support as we would like to understand your use case.

If you are using an affected product, you should upgrade to the fixed version or apply the workaround configuration detailed below.

We would like to thank Seth Manesse and Paul Plasil who reported that the "path" sample fetch function incorrectly accepts '#' as part of the path component.

Affected versions and remediation

HAProxy Technologies released new versions of HAProxy, HAProxy Enterprise, HAProxy ALOHA, and HAProxy Kubernetes Ingress Controller on Monday, 21 August 2023. These releases patched the vulnerabilities described in CVE-2023-45539.

Users of the affected products should upgrade to the fixed version as soon as possible.

Users of Amazon AMIs and Azure VHDs: please note that cloud images have been updated with this patch.

Affected version

Fixed version

HAProxy 2.8

2.8.2

HAProxy 2.7

2.7.10

HAProxy 2.6

2.6.15

HAProxy 2.4

2.4.24

HAProxy 2.2

2.2.31

HAProxy 2.0

2.0.33

HAProxy Enterprise 2.7r1

2.7r1-300.867

HAProxy Enterprise 2.6r1

2.6r1-292.1120

HAProxy Enterprise 2.5r1

2.5r1-288.805

HAProxy Enterprise 2.4r1

2.4r1-288.1158

HAProxy Enterprise 2.2r1

2.2r1-257.1005

HAProxy Enterprise 2.0r1

2.0r1-250.1592

HAProxy ALOHA 15.0

15.0.6

HAProxy ALOHA 14.5

14.5.12

HAProxy ALOHA 14.0

14.0.17

HAProxy ALOHA 13.5

13.5.24

HAProxy ALOHA 12.5

12.5.23

HAProxy Kubernetes Ingress Controller 1.10

v1.10.7

HAProxy Kubernetes Ingress Controller 1.9

v1.9.10

HAProxy Kubernetes Ingress Controller 1.8

Not maintained anymore

HAProxy Kubernetes Ingress Controller 1.7

Not maintained anymore

HAProxy Enterprise Kubernetes Ingress Controller 1.9

v1.9.12-ee1

HAProxy Enterprise Kubernetes Ingress Controller 1.8

v1.8.12-ee7

HAProxy Enterprise Kubernetes Ingress Controller 1.7

v1.7.12-ee4

Workaround

If you are not able to update right away, this behavior can be selectively configured using "normalize-uri fragment-encode" and "normalize-uri fragment-strip".

Support

If you are an HAProxy Enterprise, HAProxy ALOHA, or HAProxy Enterprise Kubernetes Ingress Controller customer and have questions about upgrading to the latest version or applying the configuration workaround detailed above, please get in touch with the HAProxy support team.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.