CVE-2021-39240: 
HAProxy vulnerability analysis and mitigation

CVE-2021-39240 is a security vulnerability discovered in HAProxy versions 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. The vulnerability relates to an input validation flaw in the processing of HTTP/2 requests where the software fails to ensure that the scheme and path portions of a URI have the expected characters (CVE Mitre, Debian Security).

The vulnerability stems from an input validation issue where HAProxy does not properly validate the scheme and path portions of URIs in HTTP/2 requests. This can lead to situations where the authority field observed on a target HTTP/2 server might differ from what the routing rules were intended to achieve. By appending parts of a request to the scheme or prepending parts of a domain name to the path, an attacker could potentially make HAProxy and a backend server interpret different authority or URL prefixes (HAProxy Announce).

The vulnerability could allow an attacker to bypass routing rules and potentially route requests to unintended backend servers. This particularly affects HTTP/2 servers on versions 2.2 and above, as these versions can pass absolute URIs from end to end. The impact is significant in configurations where routing decisions are based on Host header fields (HAProxy Announce).

Several mitigation strategies are available: 1) Disable HTTP/2 communication with servers by removing 'proto h2' from server lines, 2) Place a URI rewriting rule using 'http-request set-uri %[url]' at the beginning of HTTP frontends, 3) Disable HTTP/2 processing entirely by setting 'tune.h2.max-concurrent-streams 0' in the global section, or 4) Update to patched versions: 2.2.16, 2.3.13, or 2.4.3 or later (HAProxy Announce, Fedora Update).