Vulnerabilities > CVE-2018-11469 - Information Exposure vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
high complexity
haproxy
canonical
CWE-200
nessus

Summary

Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-824.NASL
    descriptionThis update for haproxy to version 1.8.14 fixes the following issues : These security issues were fixed : - CVE-2018-14645: A flaw was discovered in the HPACK decoder what caused an out-of-bounds read in hpack_valid_idx() that resulted in a remote crash and denial of service (bsc#1108683) - CVE-2018-11469: Incorrect caching of responses to requests including an Authorization header allowed attackers to achieve information disclosure via an unauthenticated remote request (bsc#1094846). These non-security issues were fixed : - Require apparmor-abstractions to reduce dependencies (bsc#1100787) - hpack: fix improper sign check on the header index value - cli: make sure the
    last seen2020-06-01
    modified2020-06-02
    plugin id123348
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123348
    titleopenSUSE Security Update : haproxy (openSUSE-2019-824)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-824.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123348);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/30");
    
      script_cve_id("CVE-2018-11469", "CVE-2018-14645");
    
      script_name(english:"openSUSE Security Update : haproxy (openSUSE-2019-824)");
      script_summary(english:"Check for the openSUSE-2019-824 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for haproxy to version 1.8.14 fixes the following issues :
    
    These security issues were fixed :
    
      - CVE-2018-14645: A flaw was discovered in the HPACK
        decoder what caused an out-of-bounds read in
        hpack_valid_idx() that resulted in a remote crash and
        denial of service (bsc#1108683)
    
      - CVE-2018-11469: Incorrect caching of responses to
        requests including an Authorization header allowed
        attackers to achieve information disclosure via an
        unauthenticated remote request (bsc#1094846).
    
    These non-security issues were fixed :
    
      - Require apparmor-abstractions to reduce dependencies
        (bsc#1100787)
    
      - hpack: fix improper sign check on the header index value
    
      - cli: make sure the 'getsock' command is only called on
        connections
    
      - tools: fix set_net_port() / set_host_port() on IPv4
    
      - patterns: fix possible double free when reloading a
        pattern list
    
      - server: Crash when setting FQDN via CLI.
    
      - kqueue: Don't reset the changes number by accident.
    
      - snapshot: take the proxy's lock while dumping errors
    
    - http/threads: atomically increment the error snapshot ID
    
      - dns: check and link servers' resolvers right after
        config parsing
    
      - h2: fix risk of memory leak on malformated wrapped
        frames
    
      - session: fix reporting of handshake processing time in
        the logs
    
      - stream: use atomic increments for the request counter
    
      - thread: implement HA_ATOMIC_XADD()
    
      - ECC cert should work with TLS < v1.2 and openssl >=
        1.1.1
    
      - dns/server: fix incomatibility between SRV resolution
        and server state file
    
      - hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP
        returns 0.
    
      - thread: lua: Wrong SSL context initialization.
    
      - hlua: Make sure we drain the output buffer when done.
    
      - lua: reset lua transaction between http requests
    
      - mux_pt: dereference the connection with care in
        mux_pt_wake()
    
      - lua: Bad HTTP client request duration.
    
      - unix: provide a ->drain() function
    
      - Fix spelling error in configuration doc
    
      - cli/threads: protect some server commands against
        concurrent operations
    
      - cli/threads: protect all 'proxy' commands against
        concurrent updates
    
      - lua: socket timeouts are not applied
    
      - ssl: Use consistent naming for TLS protocols
    
      - dns: explain set server ... fqdn requires resolver
    
      - map: fix map_regm with backref
    
      - ssl: loading dh param from certifile causes
        unpredictable error.
    
      - ssl: fix missing error loading a keytype cert from a
        bundle.
    
      - ssl: empty connections reported as errors.
    
      - cli: make 'show fd' thread-safe
    
      - hathreads: implement a more flexible rendez-vous point
    
      - threads: fix the no-thread case after the change to the
        sync point
    
      - threads: add more consistency between certain variables
        in no-thread case
    
      - threads: fix the double CAS implementation for ARMv7
    
      - threads: Introduce double-width CAS on x86_64 and arm.
    
      - lua: possible CLOSE-WAIT state with '\n' headers
    
    For additional changes please refer to the changelog.
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1094846"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1100787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108683"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected haproxy packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-11469");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"haproxy-1.8.14~git0.52e4d43b-lp150.2.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debuginfo-1.8.14~git0.52e4d43b-lp150.2.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debugsource-1.8.14~git0.52e4d43b-lp150.2.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1229.NASL
    descriptionThis update for haproxy to version 1.8.14 fixes the following issues : These security issues were fixed : - CVE-2018-14645: A flaw was discovered in the HPACK decoder what caused an out-of-bounds read in hpack_valid_idx() that resulted in a remote crash and denial of service (bsc#1108683) - CVE-2018-11469: Incorrect caching of responses to requests including an Authorization header allowed attackers to achieve information disclosure via an unauthenticated remote request (bsc#1094846). These non-security issues were fixed : - Require apparmor-abstractions to reduce dependencies (bsc#1100787) - hpack: fix improper sign check on the header index value - cli: make sure the
    last seen2020-06-05
    modified2018-10-24
    plugin id118344
    published2018-10-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118344
    titleopenSUSE Security Update : haproxy (openSUSE-2018-1229)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-1229.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118344);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-11469", "CVE-2018-14645");
    
      script_name(english:"openSUSE Security Update : haproxy (openSUSE-2018-1229)");
      script_summary(english:"Check for the openSUSE-2018-1229 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for haproxy to version 1.8.14 fixes the following issues :
    
    These security issues were fixed :
    
      - CVE-2018-14645: A flaw was discovered in the HPACK
        decoder what caused an out-of-bounds read in
        hpack_valid_idx() that resulted in a remote crash and
        denial of service (bsc#1108683)
    
      - CVE-2018-11469: Incorrect caching of responses to
        requests including an Authorization header allowed
        attackers to achieve information disclosure via an
        unauthenticated remote request (bsc#1094846).
    
    These non-security issues were fixed :
    
      - Require apparmor-abstractions to reduce dependencies
        (bsc#1100787)
    
      - hpack: fix improper sign check on the header index value
    
      - cli: make sure the 'getsock' command is only called on
        connections
    
      - tools: fix set_net_port() / set_host_port() on IPv4
    
      - patterns: fix possible double free when reloading a
        pattern list
    
      - server: Crash when setting FQDN via CLI.
    
      - kqueue: Don't reset the changes number by accident.
    
      - snapshot: take the proxy's lock while dumping errors
    
    - http/threads: atomically increment the error snapshot ID
    
      - dns: check and link servers' resolvers right after
        config parsing
    
      - h2: fix risk of memory leak on malformated wrapped
        frames
    
      - session: fix reporting of handshake processing time in
        the logs
    
      - stream: use atomic increments for the request counter
    
      - thread: implement HA_ATOMIC_XADD()
    
      - ECC cert should work with TLS < v1.2 and openssl >=
        1.1.1
    
      - dns/server: fix incomatibility between SRV resolution
        and server state file
    
      - hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP
        returns 0.
    
      - thread: lua: Wrong SSL context initialization.
    
      - hlua: Make sure we drain the output buffer when done.
    
      - lua: reset lua transaction between http requests
    
      - mux_pt: dereference the connection with care in
        mux_pt_wake()
    
      - lua: Bad HTTP client request duration.
    
      - unix: provide a ->drain() function
    
      - Fix spelling error in configuration doc
    
      - cli/threads: protect some server commands against
        concurrent operations
    
      - cli/threads: protect all 'proxy' commands against
        concurrent updates
    
      - lua: socket timeouts are not applied
    
      - ssl: Use consistent naming for TLS protocols
    
      - dns: explain set server ... fqdn requires resolver
    
      - map: fix map_regm with backref
    
      - ssl: loading dh param from certifile causes
        unpredictable error.
    
      - ssl: fix missing error loading a keytype cert from a
        bundle.
    
      - ssl: empty connections reported as errors.
    
      - cli: make 'show fd' thread-safe
    
      - hathreads: implement a more flexible rendez-vous point
    
      - threads: fix the no-thread case after the change to the
        sync point
    
      - threads: add more consistency between certain variables
        in no-thread case
    
      - threads: fix the double CAS implementation for ARMv7
    
      - threads: Introduce double-width CAS on x86_64 and arm.
    
      - lua: possible CLOSE-WAIT state with '\n' headers
    
    For additional changes please refer to the changelog.
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1094846"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1100787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108683"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected haproxy packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"haproxy-1.8.14~git0.52e4d43b-lp150.2.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debuginfo-1.8.14~git0.52e4d43b-lp150.2.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debugsource-1.8.14~git0.52e4d43b-lp150.2.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3663-1.NASL
    descriptionIt was discovered that HAProxy incorrectly handled certain resquests. An attacker could possibly use this to expose sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110262
    published2018-05-31
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110262
    titleUbuntu 18.04 LTS : haproxy vulnerability (USN-3663-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3663-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110262);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2018-11469");
      script_xref(name:"USN", value:"3663-1");
    
      script_name(english:"Ubuntu 18.04 LTS : haproxy vulnerability (USN-3663-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that HAProxy incorrectly handled certain resquests.
    An attacker could possibly use this to expose sensitive information.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3663-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected haproxy package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:haproxy");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"haproxy", pkgver:"1.8.8-1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-941D094624.NASL
    descriptionUpdate to 1.8.12 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120628
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120628
    titleFedora 28 : haproxy (2018-941d094624)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-941d094624.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120628);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-11469");
      script_xref(name:"FEDORA", value:"2018-941d094624");
    
      script_name(english:"Fedora 28 : haproxy (2018-941d094624)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Update to 1.8.12
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-941d094624"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected haproxy package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:haproxy");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"haproxy-1.8.12-2.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
    }
    

Redhat

advisories
rhsa
idRHSA-2019:1436
rpms
  • rh-haproxy18-haproxy-0:1.8.17-1.el7
  • rh-haproxy18-haproxy-debuginfo-0:1.8.17-1.el7
  • rh-haproxy18-haproxy-syspaths-0:1.8.17-1.el7