---

CVE-2021-40346 - log back

CVE-2021-40346 edited at 14 Sep 2021 08:46:02
Severity	- Critical + Medium
References	+ https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/ https://www.mail-archive.com/haproxy@formilux.org/msg41114.html - https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/ https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95 - https://nvd.nist.gov/vuln/detail/CVE-2021-40346
Notes	+ A possible workaround for those who cannot upgrade is to block requests and responses featuring more than one content-length header after the overflow occured; these ones are always invalid because they're always resolved during the parsing phase, hence this condition never reaches the HTTP layer: - A possible workaround for those who cannot upgrade is to block requests - and responses featuring more than one content-length header after the - overflow occured; these ones are always invalid because they're always - resolved during the parsing phase, hence this condition never reaches - the HTTP layer: http-request deny if { req.hdr_cnt(content-length) gt 1 } http-response deny if { res.hdr_cnt(content-length) gt 1 }

CVE-2021-40346 edited at 08 Sep 2021 20:30:07
Severity	- Medium + Critical

CVE-2021-40346 edited at 08 Sep 2021 20:28:51
References	https://www.mail-archive.com/haproxy@formilux.org/msg41114.html https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/ https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95 https://nvd.nist.gov/vuln/detail/CVE-2021-40346

CVE-2021-40346 edited at 08 Sep 2021 20:28:37
References	https://www.mail-archive.com/haproxy@formilux.org/msg41114.html + https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/ + https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95 + https://nvd.nist.gov/vuln/detail/CVE-2021-40346

CVE-2021-40346 edited at 08 Sep 2021 09:16:25
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Insufficient validation
Description	+ A bug has been found in the HTTP header name length encoding in the HTX representation of haproxy, by which the most significant bit of the name's length can slip into the value's least significant bit. A remote attacker could craft a valid request that could inject a dummy content-length on input that would be produced on output in addition to the other one, resulting in the possibility of a blind request smuggling attack ("blind" because the response never gets back to the attacker).
References	+ https://www.mail-archive.com/haproxy@formilux.org/msg41114.html
Notes	+ A possible workaround for those who cannot upgrade is to block requests + and responses featuring more than one content-length header after the + overflow occured; these ones are always invalid because they're always + resolved during the parsing phase, hence this condition never reaches + the HTTP layer: + + http-request deny if { req.hdr_cnt(content-length) gt 1 } + http-response deny if { res.hdr_cnt(content-length) gt 1 }

CVE-2021-40346 created at 08 Sep 2021 09:13:53