CVE-2020-11100: 
HAProxy vulnerability analysis and mitigation

A critical vulnerability (CVE-2020-11100) was discovered in HAProxy versions 1.8 through 2.x before 2.1.4, affecting the HPACK decoder in the HTTP/2 implementation. The vulnerability was discovered by Felix Wilhelm from Google Project Zero and disclosed on April 2, 2020. The issue affects the hpack_dht_insert function in hpack-tbl.c, which allows remote attackers to write arbitrary bytes around certain locations on the heap via crafted HTTP/2 requests (HAProxy Announce, NVD).

The vulnerability exists in the HPACK decoder used for HTTP/2 processing, specifically in the hpack_dht_insert function within hpack-tbl.c. The flaw allows an attacker to perform out-of-bounds writes to memory locations within the process's heap. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high severity with network attack vector and low attack complexity (NVD, Red Hat).

The vulnerability can lead to memory corruption, potentially resulting in denial-of-service conditions through process crashes. While the attacker cannot control absolute memory addresses, there exists a possibility of remote code execution under certain circumstances, particularly in lab-controlled environments. The impact is particularly severe for systems using HTTP/2, as there is no configuration-based workaround for HAProxy versions 2.1 and above (HAProxy Announce, Debian Security).

The primary mitigation is to upgrade to HAProxy version 2.1.4 or later, which contains the fix for this vulnerability. For systems unable to upgrade immediately, disabling HTTP/2 support can serve as a temporary workaround. On Red Hat Enterprise Linux 8, HAProxy is confined by SELinux, which provides some mitigation against remote code execution. HAProxy packages shipped with Red Hat Enterprise Linux 6 and 7 are not affected as they do not contain support for HTTP/2 (Red Hat).

The vulnerability was handled through responsible disclosure, with the researcher Felix Wilhelm from Google Project Zero agreeing to delay the publication of findings to allow time for updates. Major Linux distributions quickly responded with security updates, including Red Hat, Debian, Ubuntu, and SUSE, highlighting the severity of the issue (Red Hat, Debian Security).