HAProxy critical security update — to avoid simple(ish) DoS attack (20 September 2018)
HAProxy Published on •3 mins Last updatedA critical security issue has been found in HAProxy, leaving certain systems vulnerable to remote attack. We want to keep you informed, and we understand that this news might cause you some anxiety.
But be reassured — most of our customers won’t be affected.
We have already notified those we’re aware of. Unless you’ve enabled HTTP/2, you shouldn’t have any problems. If you are using the faulty protocol, or if you aren’t sure - don’t panic!
HTTP/2 is fine in pass through mode — However, if you are using native HTTP/2 binding:
frontend f_myapp
bind :443 ssl crt /path/to/cert.crt alpn h2,http/1.1
mode http
Then you are at risk, so please update.
Read more about the issue, CVE-2018-14645, here.
Even though the bug was only recently announced, we've already released a fix.
How did we release a fix so quickly?
The open source security model is rock solid. Every major open source project has a short list of individuals who get advance notice of a critical security issue. In the case of HAProxy, Loadbalancer.org gets the early scoop.
This means we had enough time to evaluate, patch and test the update before our customers even had a chance to worry.
We released the update just hours after the official announcement on Thursday the 20th September 2018 @ 12:34 UMT.
Our open source heroes are Tim Düsterhus and Willy Tarreau, who did the hard work behind the scenes to find and fix this bug.
Security is a big deal — British Airways facing $1bn fine over cyber hack
Customer data security is serious business. The costs of getting it wrong are steep - negative media attention, leading to real financial and reputational damage.
High-profile hacks should give us all pause for thought.
Last year’s Equifax data breach looked like a failure of basic security updates for a well-known problem. More recently, a criminal gang attacked British Airways, Ticketmaster and NewEgg just by inserting a simple JavaScript XSS code on supposedly secure servers.
A WAF may not have blocked this internal attack - but it would have prevented most common external attack vectors like XSS and SQL injection.
Loadbalancer.org recommends that you consider a market-leading WAF such as CloudFlare or Incapsula. If you’re already using our load balancer for your applications, though, you’ve got the extra firepower of a built-in WAF.
How to train your dragon
The ModSecurity based Web Application Firewall (WAF) we introduced three years ago has proven fast and reliable. But it has teeth. One customer recently joked that "Taming a dragon would be easier than configuring a WAF!"
We've developed some tools in v8.3.3 to make the whole process easier. Let's look at how to use the WAF with as little pain as possible...
If you have any questions about the HAProxy security update, please don't hesitate to get in touch with us by either leaving a comment below or clicking here.