CVE-2024-49214
Publication date 14 October 2024
Last updated 6 November 2024
Ubuntu priority
QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| haproxy | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
mdeslaur
Per the CVE description, this affects 2.9.x+, per the commit description, this affects 2.6+. As of 2024-10-29, there is no backport to 2.8.x available. The fix consists of providing a token to the client each time it successfully managed to connect to haproxy. The token code is only enabled if HAVE_SSL_0RTT_QUIC is set, which is only set when aws-lc and perhaps boringssl is being used as the ssl backend. In Ubuntu, packages are built with OpenSSL, so the QUIC support doesn't handle 0RTT and hence packages are not vulnerable.
Patch details
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-49214
- https://www.haproxy.org/download/3.1/src/CHANGELOG
- https://www.haproxy.org/download/3.0/src/CHANGELOG
- https://www.haproxy.org/download/2.9/src/CHANGELOG
- https://www.mail-archive.com/haproxy%40formilux.org/msg45291.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg45314.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg45315.html