changelog:
Sept 7: Updated now that AWS and Azure images are available.
The latest versions of our products fix a vulnerability related to the HTTP header Content-Length. The incorrect behavior allowed for an empty Content-Length header to pass through HAProxy to backend web servers instead of being outright rejected. Then a request containing two Content-Length headers—one empty and one perfectly valid—would be transmitted as-is to the server, and if this server incorrectly used the empty one and interpreted it as having a value of zero, this would allow the content to be taken for a new request, bypassing the inspection.
Popular web servers such as Apache and NGINX are not susceptible to such an invalid request, but other, non-compliant servers may be.
If you are using an affected product, you should upgrade to the fixed version or apply the workaround configuration detailed below.
We would like to thanks Ben Kallus of Dartmouth College and Narf Industries for reporting this issue.
Workaround
If you are not able to update right away, you can apply the following rules to mitigate the issues. Add this to your exposed frontend and then restart your HAProxy instance.
frontend myfrontend | |
http-request deny if { hdr_len(content-length) 0 } |
Affected Versions & Remediation
HAProxy Technologies released new versions of HAProxy, HAProxy Enterprise, and HAProxy ALOHA on Monday, 21 August 2023. These releases patch the vulnerability described in CVE-2023-40225 (CVSSv3 score of 7.2). Configurations running on HAProxy version 2.0 in legacy mode (no option http-use-htx), as well as end-of-life versions prior to HAProxy / HAProxy Enterprise 2.0 and HAProxy ALOHA 12.5 are not affected.
Users of the affected products should upgrade to the fixed version as soon as possible.
HAProxy Enterprise users can follow the update instructions.
HAProxy ALOHA users can follow the update instructions.
To upgrade HAProxy Enterprise as a Docker container, follow the instructions.
Amazon AMIs and Azure VHDs are available.
Affected version | Fixed version |
HAProxy 2.8 | 2.8.2 |
HAProxy 2.7 | 2.7.10 |
HAProxy 2.6 | 2.6.15 |
HAProxy 2.4 | 2.4.24 |
HAProxy 2.2 | 2.2.31 |
HAProxy 2.0 | 2.0.33 |
HAProxy Enterprise 2.7r1 | 2.7r1-300.867 |
HAProxy Enterprise 2.6r1 | 2.6r1-292.1120 |
HAProxy Enterprise 2.5r1 | 2.5r1-288.805 |
HAProxy Enterprise 2.4r1 | 2.4r1-288.1158 |
HAProxy Enterprise 2.2r1 | 2.2r1-257.1005 |
HAProxy Enterprise 2.0r1 | 2.0r1-250.1592 |
HAProxy ALOHA 15.0 | 15.0.6 |
HAProxy ALOHA 14.5 | 14.5.12 |
HAProxy ALOHA 14.0 | 14.0.17 |
HAProxy ALOHA 13.5 | 13.5.24 |
HAProxy ALOHA 12.5 | 12.5.23 |
Support
If you are an HAProxy Enterprise or HAProxy ALOHA customer and have questions about upgrading to the latest version or applying the configuration workaround detailed above, please get in touch with the HAProxy support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.