The latest versions of our products fix a vulnerability related to a possible endless loop in the HTTP/2 multiplexer when combined with zero-copy forwarding system in HAProxy, HAProxy Enterprise (including public and private cloud images), HAProxy ALOHA, HAProxy Kubernetes Ingress Controller, and HAProxy Enterprise Kubernetes Ingress Controller.
The issue in the HTTP/2 multiplexer allows remote attackers to trigger under very rare conditions an endless loop in HAProxy which can result in a crash.
If you are using an affected version of our product, you should upgrade to the fixed version as soon as possible or apply the workaround until you can upgrade.
Workaround
If you are not able to update right away, you can disable the zero-copy forwarding system to mitigate the issue. Add the following configuration directive in your HAProxy’s global section:
global
…
tune.h2.zero-copy-fwd-send offAffected Versions & Remediation
Users of the affected products should upgrade to the fixed version as soon as possible by following the instructions below.
Amazon AMIs and Azure VHDs are available.
Affected version | Fixed version |
HAProxy 3.0 | 3.0.4 |
HAProxy 2.9 | 2.9.10 |
HAProxy Enterprise 2.9r1 | hapee-2.9r1-lb 1.0.0-328.475 |
HAProxy ALOHA 16.0 | 16.0.4 |
HAProxy Kubernetes Ingress Controller 3.0 | 3.0.1 |
HAProxy Kubernetes Ingress Controller 1.11 | 1.11.6 |
HAProxy Enterprise Kubernetes Ingress Controller 1.11 | 1.11.6-ee7 |
HAProxy Enterprise Kubernetes Ingress Controller 1.7 | 1.7.12-ee12 |
Support
If you are a customer and have questions about upgrading to the latest version, please get in touch with the HAProxy support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
