Amazon Linux 2 Security Advisory: ALASHAPROXY2-2023-005
Advisory Release Date: 2023-08-21 21:01 Pacific
Advisory Updated Date: 2023-09-25 22:11 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A flaw was found in haproxy. An input validation flaw when processing HTTP/2 requests causes haproxy to not ensure that the scheme and path portions of a URI have the expected characters. This may cause specially crafted input to bypass implemented security restrictions. The highest threat from this vulnerability is confidentiality. (CVE-2021-39240)
haproxy has an input validation flaw that could allow a remote attacker to bypass implemented security restrictions. An HTTP method name may contain a space followed by the name of a protected resource. Given this, It is possible that an server would interpret this as a request for that protected resource. The highest threat from this vulnerability is possible confidentiality concerns. (CVE-2021-39241)
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled. (CVE-2021-39242)
Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while parsing an HTTP request. The highest threat from this vulnerability is integrity. (CVE-2021-40346)
Affected Packages:
haproxy2
Note:
This advisory is applicable to Amazon Linux 2 - Haproxy2 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update haproxy2 to update your system.
aarch64:
haproxy2-2.2.17-1.amzn2.0.1.aarch64
haproxy2-debuginfo-2.2.17-1.amzn2.0.1.aarch64
src:
haproxy2-2.2.17-1.amzn2.0.1.src
x86_64:
haproxy2-2.2.17-1.amzn2.0.1.x86_64
haproxy2-debuginfo-2.2.17-1.amzn2.0.1.x86_64