The Christmas tree is still up, you’ve barely swept away the used party poppers and champagne corks from your New Year celebrations - and already, there’s a new security issue to be aware of.
A vulnerability has been found which could enable a hacker to crash HAProxy when an incorrect frame length check is performed on HEADERS frame having the PRIORITY flag, possibly resulting in a read-past-bound which can cause a crash depending on how the frame is crafted. This isn’t a data security issue, but downtime is obviously bad news for any business, including the big players who are using HAProxy for their sites.
Be reassured that most of our customers won’t be affected.
This bug will only be an issue for users who’ve already upgraded to HTTP/2. If we think you might be vulnerable, we will already have notified you.
Ahead of the curve
Although the issue has only just been announced, we already have a fix available. You can request the patch through our support by emailing email@example.com if you want it now, or wait until we put out v8.3.6 in a few weeks. Our release schedule, complete with thorough testing, hasn’t been disrupted.
How can we stay ahead of the curve like this? Because we’re part of the open-source inner circle, we’re always among the first to get the call from HAProxy when something goes wrong. This means that we’re always on top of bugs before they become a problem.
Applying the patch
We’ve taken the time to test out HAProxy’s patch - here are the steps:
- Extract the HAProxy archive within /usr/local/src and cd to the haproxy-1* source directory
- Apply the patch 0001-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch
- The mux_h2.c file has now been patched with the original’s name appended with mux_h2.c.orig
- After compiling patched HAProxy.1.8.14, run a quick test to ensure that the service is active and functioning correctly.
And that’s it! Major kudos to Willy and the HAProxy team for putting in the hours on this over the festive period.
Don’t be next
If you’d rather not be hitting the headlines for this less than pleasant reason, a WAF is absolutely the best way to stay secure. Loadbalancer.org recommends that you consider a market-leading WAF such as CloudFlare or Incapsula. If you’re already using our load balancer for your applications, though, you’ve got the extra firepower of a built-in WAF.
Since a customer once joked that ‘taming a dragon would be easier than configuring a WAF,’ we’ve also provided some guidance on how to use it with as little pain as possible.
If you have any questions about HAProxy security, please don't hesitate to get in touch with us by either leaving a comment below or clicking here.