The latest versions of our products fix a vulnerability related to HTTP/1.1 response code mishandling in products written in golang. This affects multiple HAProxy Technologies products.
CVE-2024-24791 exposes a denial of service (DoS) vulnerability in Go's net/http client. The client misinterprets a server's "Expect: 100-continue" header with a non-informational response (like a 200 OK). This leaves the connection unusable, causing subsequent requests to fail. Attackers can exploit this by sending "Expect: 100-continue" requests to overwhelm the proxy with unusable connections.
If you are using an affected product, you should upgrade to the fixed version as soon as possible. There is no workaround available.
Affected Versions & Remediation
HAProxy Technologies released new versions of HAProxy Fusion, HAProxy Enterprise Verify Crawler Module, HAProxy ALOHA, HAProxy Kubernetes Ingress Controller, HAProxy Enterprise Kubernetes Ingress Controller, Data Plane API, and Data Plane API Enterprise on Thursday, 4 July 2024. These releases patch the vulnerability described in CVE-2024-24791 (CVSSv3 score of 7.5).
Users of the affected products should upgrade to the fixed version as soon as possible by following the instructions below.
Update HAProxy Enterprise to patch the Verify Crawler Module
Update Data Plane API by installing the fixed version from the GitHub repository
Affected version | Fixed version |
HAProxy Fusion 1.2 | 1.2.32 |
HAProxy Fusion 1.1 | 1.1.15 |
HAProxy Fusion 1.0 | 1.0.22 |
HAProxy Fusion fusionctl | hapee-fusion-fusionctl-release-fusion-13.0 1.0.0-13.0 |
HAProxy Enterprise Verify Crawler Module | hapee-verify-crawler-release-extras-25.3 1.1-25.3 |
HAProxy ALOHA Management Package 16.0 | 16.0-1.0.4 |
HAProxy ALOHA Management Package 15.5 | 15.5-1.0.16 |
HAProxy ALOHA Management Package 14.5 | 14.5-1.0.20 |
HAProxy ALOHA Management Package 13.5 | 13.5-1.0.22 |
HAProxy Kubernetes Ingress Controller 3.0 | 3.0.1 |
HAProxy Kubernetes Ingress Controller 1.11 | 1.11.6 |
HAProxy Kubernetes Ingress Controller 1.10 | 1.10.16 |
HAProxy Enterprise Kubernetes Ingress Controller 1.11 | 1.11.6-ee1 |
HAProxy Enterprise Kubernetes Package 2.8 | hapee-kubernetes-ingress-release-2.8r1-17.0 1.0.0-17.0 |
HAProxy Enterprise Kubernetes Package 2.6 | hapee-kubernetes-ingress-release-2.6r1-20.0 1.0.0-20.0 |
HAProxy Enterprise Kubernetes Package 2.4 | hapee-kubernetes-ingress-release-2.4r1-21.0 1.0.0-21.0 |
Data Plane API 2.9 | 2.9.5 |
Data Plane API 2.8 | 2.8.9 |
Data Plane API 2.7 | 2.7.13 |
Data Plane API Enterprise 2.9 | hapee-dataplaneapi29-release-extras-179.0 2.9.4-179.0 |
Data Plane API Enterprise 2.8 | hapee-dataplaneapi28-release-extras-187.0 2.8.8-187.0 |
Data Plane API Enterprise 2.6 | hapee-dataplaneapi26-release-extras-161.0 2.6.5-161.0 |
Support
If you are a customer and have questions about upgrading to the latest version, please get in touch with the HAProxy support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
