CVE-2021-40346: 
HAProxy vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2021-40346) was discovered in HAProxy versions 2.0 through 2.5 affecting the htxaddheader function. The vulnerability was discovered by Ori Hollander of JFrog Security and disclosed in September 2021. This vulnerability affects HAProxy, a widely used open-source load balancer proxy server that is particularly suited for high-traffic websites and is shipped with most mainstream Linux distributions (JFrog Blog).

The vulnerability stems from an integer overflow in the htxaddheader function where header name length checks were missing. The function encodes header name length into only 8 bits (should be under 256 characters), so when a header's name is longer than 270 bytes, it causes an unsigned integer overflow. This overflow allows bits from the name field to flow into the value length field, potentially leading to HTTP request smuggling attacks (JFrog Blog, GitHub Commit). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD).

The vulnerability can be exploited to perform HTTP request smuggling attacks, allowing attackers to bypass all configured http-request HAProxy ACLs and possibly other ACLs. The impact includes potential unauthorized access to sensitive data, execution of unauthorized commands, modification of data, hijacking user sessions, and exploitation of reflected XSS vulnerabilities without user interaction (JFrog Blog).

The vulnerability has been fixed in HAProxy versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4. For users who cannot upgrade, a workaround is available by adding the following lines to HAProxy's configuration: 'http-request deny if { req.hdrcnt(content-length) gt 1 }' and 'http-response deny if { res.hdrcnt(content-length) gt 1 }'. This mitigation helps prevent all known variants of this attack (JFrog Blog, Debian Security).