Vulnerabilities > CVE-2020-11100 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.

Vulnerable Configurations

Part Description Count
Application
Haproxy
82
Application
Redhat
2
OS
Debian
1
OS
Fedoraproject
2
OS
Canonical
2
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0289_HAPROXY.NASL
    descriptionAn update of the haproxy package has been released.
    last seen2020-04-30
    modified2020-04-28
    plugin id136032
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136032
    titlePhoton OS 1.0: Haproxy PHSA-2020-1.0-0289
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-1.0-0289. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136032);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29");
    
      script_cve_id("CVE-2020-11100");
    
      script_name(english:"Photon OS 1.0: Haproxy PHSA-2020-1.0-0289");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the haproxy package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-289.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11100");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"haproxy-2.0.10-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"haproxy-debuginfo-2.0.10-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", cpu:"x86_64", reference:"haproxy-doc-2.0.10-2.ph1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1288.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1288 advisory. - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-04
    modified2020-04-02
    plugin id135183
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135183
    titleRHEL 8 : haproxy (RHSA-2020:1288)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1288. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135183);
      script_version("1.1");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/02");
    
      script_cve_id("CVE-2020-11100");
      script_xref(name:"RHSA", value:"2020:1288");
    
      script_name(english:"RHEL 8 : haproxy (RHSA-2020:1288)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in
    the RHSA-2020:1288 advisory.
    
      - haproxy: malformed HTTP/2 requests can lead to out-of-
        bounds writes (CVE-2020-11100)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/787.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1288");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-11100");
      script_set_attribute(attribute:"solution", value:
    "Update the affected haproxy and / or haproxy-debugsource packages.");
      script_set_attribute(attribute:"risk_factor", value:"Critical");
      script_cwe_id(20, 787);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'haproxy-1.8.15-6.el8_1.1', 'cpu':'aarch64', 'release':'8'},
        {'reference':'haproxy-1.8.15-6.el8_1.1', 'cpu':'s390x', 'release':'8'},
        {'reference':'haproxy-1.8.15-6.el8_1.1', 'cpu':'x86_64', 'release':'8'},
        {'reference':'haproxy-debugsource-1.8.15-6.el8_1.1', 'cpu':'aarch64', 'release':'8'},
        {'reference':'haproxy-debugsource-1.8.15-6.el8_1.1', 'cpu':'s390x', 'release':'8'},
        {'reference':'haproxy-debugsource-1.8.15-6.el8_1.1', 'cpu':'x86_64', 'release':'8'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy / haproxy-debugsource');
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1289.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1289 advisory. - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-04
    modified2020-04-02
    plugin id135184
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135184
    titleRHEL 8 : haproxy (RHSA-2020:1289)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1289. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135184);
      script_version("1.1");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/02");
    
      script_cve_id("CVE-2020-11100");
      script_xref(name:"RHSA", value:"2020:1289");
    
      script_name(english:"RHEL 8 : haproxy (RHSA-2020:1289)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in
    the RHSA-2020:1289 advisory.
    
      - haproxy: malformed HTTP/2 requests can lead to out-of-
        bounds writes (CVE-2020-11100)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/787.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1289");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-11100");
      script_set_attribute(attribute:"solution", value:
    "Update the affected haproxy and / or haproxy-debugsource packages.");
      script_set_attribute(attribute:"risk_factor", value:"Critical");
      script_cwe_id(20, 787);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhel_e4s:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhel_e4s:8.0::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    pkgs = [
        {'reference':'haproxy-1.8.15-5.el8_0.1', 'cpu':'aarch64', 'release':'8'},
        {'reference':'haproxy-1.8.15-5.el8_0.1', 'cpu':'s390x', 'release':'8'},
        {'reference':'haproxy-1.8.15-5.el8_0.1', 'cpu':'x86_64', 'release':'8'},
        {'reference':'haproxy-debugsource-1.8.15-5.el8_0.1', 'cpu':'aarch64', 'release':'8'},
        {'reference':'haproxy-debugsource-1.8.15-5.el8_0.1', 'cpu':'s390x', 'release':'8'},
        {'reference':'haproxy-debugsource-1.8.15-5.el8_0.1', 'cpu':'x86_64', 'release':'8'}
    ];
    
    flag = 0;
    foreach package_array ( pkgs ) {
      reference = NULL;
      release = NULL;
      sp = NULL;
      cpu = NULL;
      el_string = NULL;
      rpm_spec_vers_cmp = NULL;
      epoch = NULL;
      if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
      if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
      if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
      if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
      if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
      if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
      if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
      if (reference && release) {
        if (rpm_spec_vers_cmp) {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++;
        }
        else
        {
          if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++;
        }
      }
    }
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy / haproxy-debugsource');
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0078_HAPROXY.NASL
    descriptionAn update of the haproxy package has been released.
    last seen2020-04-30
    modified2020-04-21
    plugin id135781
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135781
    titlePhoton OS 3.0: Haproxy PHSA-2020-3.0-0078
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-3.0-0078. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135781);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23");
    
      script_cve_id("CVE-2020-11100");
    
      script_name(english:"Photon OS 3.0: Haproxy PHSA-2020-3.0-0078");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the haproxy package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-78.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11100");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-2.0.10-2.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-debuginfo-2.0.10-2.ph3")) flag++;
    if (rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-doc-2.0.10-2.ph3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1580.NASL
    descriptionAccording to the version of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.(CVE-2020-11100) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-31
    modified2020-05-26
    plugin id136858
    published2020-05-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136858
    titleEulerOS 2.0 SP8 : haproxy (EulerOS-SA-2020-1580)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136858);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/28");
    
      script_cve_id(
        "CVE-2020-11100"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : haproxy (EulerOS-SA-2020-1580)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the haproxy package installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - In hpack_dht_insert in hpack-tbl.c in the HPACK decoder
        in HAProxy 1.8 through 2.x before 2.1.4, a remote
        attacker can write arbitrary bytes around a certain
        location on the heap via a crafted HTTP/2 request,
        possibly causing remote code execution.(CVE-2020-11100)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1580
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a71d4f4");
      script_set_attribute(attribute:"solution", value:
    "Update the affected haproxy package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["haproxy-1.8.14-1.h2.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7F829D44750911EAB47C589CFC0F81B0.NASL
    descriptionThe HAproxy Project reports : The main driver for this release is that it contains a fix for a serious vulnerability that was responsibly reported last week by Felix Wilhelm from Google Project Zero, affecting the HPACK decoder used for HTTP/2. CVE-2020-11100 was assigned to this issue.
    last seen2020-04-30
    modified2020-04-03
    plugin id135192
    published2020-04-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135192
    titleFreeBSD : HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2 (7f829d44-7509-11ea-b47c-589cfc0f81b0)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135192);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id("CVE-2020-11100");
    
      script_name(english:"FreeBSD : HAproxy -- serious vulnerability affecting the HPACK decoder used for HTTP/2 (7f829d44-7509-11ea-b47c-589cfc0f81b0)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The HAproxy Project reports :
    
    The main driver for this release is that it contains a fix for a
    serious vulnerability that was responsibly reported last week by Felix
    Wilhelm from Google Project Zero, affecting the HPACK decoder used for
    HTTP/2. CVE-2020-11100 was assigned to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mail-archive.com/[email protected]/msg36876.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mail-archive.com/[email protected]/msg36877.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mail-archive.com/[email protected]/msg36878.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.mail-archive.com/[email protected]/msg36879.html"
      );
      # https://vuxml.freebsd.org/freebsd/7f829d44-7509-11ea-b47c-589cfc0f81b0.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bd694e5b"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:haproxy18");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:haproxy19");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:haproxy21");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"haproxy>=2.0.0<2.0.14")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"haproxy18>=1.8.0<1.8.25")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"haproxy19>=1.9.0<1.9.15")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"haproxy21>=2.1.0<2.1.4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-444.NASL
    descriptionThis update for haproxy fixes the following issues : - CVE-2020-11100: Fixed an H2/HPAC vulnerability ch might have allowed arbitrary writes into a 32-bit relative address space (bsc#1168023). This update was imported from the SUSE:SLE-15-SP1:Update update project.
    last seen2020-04-30
    modified2020-04-06
    plugin id135220
    published2020-04-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135220
    titleopenSUSE Security Update : haproxy (openSUSE-2020-444)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2020-444.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135220);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id("CVE-2020-11100");
    
      script_name(english:"openSUSE Security Update : haproxy (openSUSE-2020-444)");
      script_summary(english:"Check for the openSUSE-2020-444 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for haproxy fixes the following issues :
    
      - CVE-2020-11100: Fixed an H2/HPAC vulnerability ch might
        have allowed arbitrary writes into a 32-bit relative
        address space (bsc#1168023).
    
    This update was imported from the SUSE:SLE-15-SP1:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1168023"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected haproxy packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.1", reference:"haproxy-2.0.10+git0.ac198b92-lp151.2.9.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"haproxy-debuginfo-2.0.10+git0.ac198b92-lp151.2.9.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"haproxy-debugsource-2.0.10+git0.ac198b92-lp151.2.9.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-16CD111544.NASL
    descriptionSecurity fix for CVE-2020-11100) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-14
    plugin id135418
    published2020-04-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135418
    titleFedora 30 : haproxy (2020-16cd111544)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4649.NASL
    descriptionFelix Wilhelm of Google Project Zero discovered that HAProxy, a TCP/HTTP reverse proxy, did not properly handle HTTP/2 headers. This would allow an attacker to write arbitrary bytes around a certain location on the heap, resulting in denial-of-service or potential arbitrary code execution.
    last seen2020-04-30
    modified2020-04-14
    plugin id135416
    published2020-04-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135416
    titleDebian DSA-4649-1 : haproxy - security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4321-1.NASL
    descriptionFelix Wilhelm discovered that HAProxy incorrectly handled certain HTTP/2 requests. An attacker could possibly use this to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-08
    plugin id135282
    published2020-04-08
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135282
    titleUbuntu 18.04 LTS / 19.10 : haproxy vulnerability (USN-4321-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1288.NASL
    descriptionFrom Red Hat Security Advisory 2020:1288 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1288 advisory. - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-06
    plugin id135217
    published2020-04-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135217
    titleOracle Linux 8 : haproxy (ELSA-2020-1288)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1936.NASL
    descriptionThe remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1936 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-08
    modified2020-05-05
    plugin id136319
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136319
    titleRHEL 7 / 8 : OpenShift Container Platform 4.4.3 haproxy (RHSA-2020:1936)

Redhat

advisories
bugzilla
id1819111
titleCVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 8 is installed
      ovaloval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • commenthaproxy-debugsource is earlier than 0:1.8.15-6.el8_1.1
          ovaloval:com.redhat.rhsa:tst:20201288001
        • commenthaproxy-debugsource is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201288002
      • AND
        • commenthaproxy is earlier than 0:1.8.15-6.el8_1.1
          ovaloval:com.redhat.rhsa:tst:20201288003
        • commenthaproxy is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20130868002
rhsa
idRHSA-2020:1288
released2020-04-02
severityCritical
titleRHSA-2020:1288: haproxy security update (Critical)
rpms
  • haproxy-debuginfo-0:1.8.23-3.el7
  • haproxy18-0:1.8.23-3.el7
  • haproxy-0:1.8.15-6.el8_1.1
  • haproxy-debuginfo-0:1.8.15-6.el8_1.1
  • haproxy-debugsource-0:1.8.15-6.el8_1.1
  • haproxy-0:1.8.15-5.el8_0.1
  • haproxy-debuginfo-0:1.8.15-5.el8_0.1
  • haproxy-debugsource-0:1.8.15-5.el8_0.1
  • rh-haproxy18-haproxy-0:1.8.17-1.el7.1
  • rh-haproxy18-haproxy-debuginfo-0:1.8.17-1.el7.1
  • rh-haproxy18-haproxy-syspaths-0:1.8.17-1.el7.1
  • haproxy-debuginfo-0:2.0.13-3.el7
  • haproxy-debugsource-0:2.0.13-3.el8
  • haproxy20-0:2.0.13-3.el7
  • haproxy20-0:2.0.13-3.el8
  • haproxy20-debuginfo-0:2.0.13-3.el8

References