If you are using HAProxy 2.0 or newer, it is important that you update to the latest version. A vulnerability was found that makes it possible for an attacker to bypass the check for a duplicate HTTP Content-Length header, permitting a request smuggling attack or a response-splitting attack. Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value. Due to the difficulty of executing such an attack, the risk is low.
Affected Versions and Remediation
The following section lists the affected versions and the fixed versions. We recommend that you upgrade if you are using any of these.
Affected Version | Fixed Version |
HAProxy 2.0 | 2.0.25 |
HAProxy 2.2 | 2.2.17 |
HAProxy 2.3 | 2.3.14 |
HAProxy 2.4 | 2.4.4 |
HAProxy Enterprise 2.0r1 | 2.0r1-235.1230 |
HAProxy Enterprise 2.1r1 | 2.1r1-238.625 |
HAProxy Enterprise 2.2r1 | 2.2r1-241.505 |
HAProxy Enterprise 2.3r1 | 2.3r1-242.345 |
HAProxy Kubernetes Ingress Controller 1.6 | 1.6.7 |
HAProxy Enterprise Kubernetes Ingress Controller 1.6 | 1.6.7 |
HAProxy ALOHA 11.5 | 11.5.13 |
HAProxy ALOHA 12.5 | 12.5.5 |
HAProxy ALOHA 13.0 | 13.0.7 |
Workarounds
If you are not able to update right away, you can apply the following rules to mitigate the issues. These should be added to your frontend.
| frontend myfrontend | |
| http-request deny if { req.hdr_cnt(content-length) gt 1 } | |
| http-response deny if { res.hdr_cnt(content-length) gt 1 } |
These lines reject requests or responses that have more than one Content-Length header.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
