On Tuesday, November 1, the OpenSSL project released a new version of OpenSSL (version 3.0.7) to patch a high severity vulnerability in versions 3.0 and above.
If you are using OpenSSL version 3.0 or above with HAProxy, you should update to OpenSSL version 3.0.7 immediately and restart your HAProxy instance. If you are using OpenSSL 1.1.1, then you are not affected.
Here are the latest vulnerability details from CVE-2022-3602 and CVE-2022-3786.
Does This Affect You?
HAProxy and HAProxy Enterprise use dynamic linking to OpenSSL libraries shipped with operating systems, which are distribution specific. This means HAProxy users should keep OpenSSL libraries up to date by following the method specific to their operating system and distribution.
Some users might use OpenSSL version 3.0 or above in their HAProxy instances. You should check which version of OpenSSL you are using with HAProxy.
Run the following command to check which version of OpenSSL you are using with HAProxy:
HAProxy Enterprise:
/opt/hapee-2.6/sbin/hapee-lb -vv
HAProxy:
haproxy -vv
This issue does not affect HAProxy ALOHA, which is packaged with OpenSSL version 1.1.1. HAProxy Kubernetes Ingress Controller and any HAProxy public cloud images are also not affected by this issue.
How to Secure HAProxy With OpenSSL Version 3.0 and Above
If you are using HAProxy Enterprise or HAProxy with OpenSSL version 3.0 or above, follow these steps to fix the OpenSSL vulnerability.
Update your OpenSSL library to version 3.0.7 as soon as possible on Tuesday, Nov 1.
Restart your HAProxy instance.
You do not need to download a new HAProxy image or update your HAProxy configuration.
If you are an HAProxy Enterprise customer and have questions about updating to OpenSSL version 3.0.7, please get in touch with the HAProxy support team.
Changelog
11/02/2022 10:00 AM EDT: added a link to the OpenSSL Security Advisory regarding CVE-2022-3602 and CVE-2022-3786, replacing link to OpenSSL vulnerabilities list.
11/02/2022 11:00 AM EDT: changed intro sentence to past tense.
11/02/2022 05:00 PM EDT: changed nomenclature of vulnerability from ‘critical’ to ‘high severity’, following disclosure of the CVE.