I. Overview

HAProxy, an open-source reverse proxy software, has officially disclosed an out-of-bounds memory write vulnerability (CVE-2020-11100) in its latest security update notice. Attackers may exploit this vulnerability in the HTTP/2 HPACK decoder to cause a crash of HAProxy process potentially leading to the denial of service (DoS) or remote arbitrary code execution.

If you are an HAProxy user, check your system and implement timely security hardening.

Reference links:

https://www.haproxy.com/blog/haproxy-1-8-http-2-hpack-decoder-vulnerability-fixed/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

HAProxy 1.8.0 – 1.8.24

HAProxy Enterprise 1.8r1 1.0.0-186.251 – 193.716

HAProxy Enterprise 1.8r2 2.0.0-190.714 – 205.1000

ALOHA 10.0.0 – 10.0.14

ALOHA 10.5.0 – 10.5.12

HAProxy 1.9.0 – 1.9.14

HAProxy Enterprise 1.9r1 1.0.0-197.290 – 208.876

HAProxy ALOHA 11.0.0 – 11.0.7

HAProxy 2.0.0 – 2.0.13

HAProxy Enterprise 2.0r1 1.0.0-204.260 – 219.645

HAProxy ALOHA 11.5.0 – 11.5.3

HAProxy 2.1.0 – 2.1.3

HAProxy Enterprise 2.1r1 1.0.0-217.0 – 221.38

Secure Versions:

HAProxy 1.8.25+

HAProxy Enterprise 1.8r2 2.0.0-205.1048+

ALOHA 10.5.13+

HAProxy 1.9.15+

HAProxy Enterprise 1.9r1 1.0.0-213.948+

HAProxy ALOHA 11.0.8+

HAProxy 2.0.14+

HAProxy Enterprise 2.0r1 1.0.0-220.698+

HAProxy ALOHA 11.5.4+

HAProxy 2.1.4+

HAProxy Enterprise 2.1r1 1.0.0-221.93+

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version, or take the officially published mitigation measures to avoid risks temporarily before you complete the upgrade.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.