July 2024 – CVE-2024-6387: RCE in OpenSSH's server

The latest versions of our products fix a vulnerability related to OpenSSH’s server (sshd), which is used in the public/private cloud images of HAProxy Enterprise and the hardware/virtual appliances of HAProxy ALOHA.

A vulnerability in sshd’s SIGALRM handler permits unauthenticated remote code execution as root. This allows remote attackers to cause a denial of service (DoS), and possibly execute arbitrary code.

If you are using an affected product, you should upgrade to the fixed version as soon as possible. There is no workaround available.

Affected Versions & Remediation

HAProxy Technologies released new versions of HAProxy Enterprise and HAProxy ALOHA on Thursday, 4 July 2024. These releases patch the vulnerability described in CVE-2024-6387 (CVSSv3 score of 8.1). 

Users of the affected products should upgrade to the fixed version as soon as possible by following the instructions below.

  • Update HAProxy Enterprise public/private cloud images using your Linux distribution’s regular package management operation, for example by using apt or yum

  • Update HAProxy ALOHA

Amazon AMIs and Azure VHDs are available.

Affected version

Fixed version

HAProxy ALOHA 16.0


HAProxy ALOHA 15.5


HAProxy ALOHA 14.5


HAProxy Enterprise public / private cloud images based on rhel9, ubuntu 22.04 and 24.04, debian 12

Any version published on or after 2024-07-04


If you are an HAProxy Enterprise or HAProxy ALOHA customer and have questions about upgrading to the latest version, please get in touch with the HAProxy support team.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.