A critical vulnerability (CVE-2023-44487) was identified in HAProxy, a widely used load balancing and reverse proxy solution. This flaw, found in HAProxy’s handling of HTTP/2 streams, can potentially lead to a denial of service (DoS) attack due to excessive resource consumption.
This vulnerability was actively exploited in the wild between August and October 2023, as reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Users relying on affected HAProxy versions must take immediate action to mitigate this issue and ensure their environment remains secure.
HAProxy Vulnerability – CVE-2023-44487
The flaw lies in how HAProxy handles multiplexed streams in the HTTP/2 protocol. Specifically, HAProxy fails to properly limit the creation of new HTTP/2 streams. A remote attacker could exploit this flaw by repeatedly requesting new multiplex streams and immediately canceling them with an RST_STREAM frame. This forces the server to allocate resources to create and dismantle these streams, ultimately consuming excessive server resources without hitting predefined limits for active streams per connection. This leads to a denial of service (DoS) condition.
Affected Systems and Mitigations
One of the Linux distributions affected by CVE-2023-44487 is Ubuntu 18.04, which reached its end of life on May 31, 2023. As a result, this Ubuntu version no longer receives security patches from Canonical. However, users of Ubuntu 18.04 who are subscribed to Ubuntu Pro can still access security updates through Canonical’s Expanded Security Maintenance (ESM) service. ESM extends support for five additional years, ensuring critical vulnerabilities like this one are patched. Recently, Canonical has released a security update to address this vulnerability in the HAProxy package in Ubuntu 18.04 ESM.
For those looking for a more affordable option, TuxCare’s Ubuntu 18.04 Endless Lifecycle Support (ELS) offers a compelling alternative. It allows organizations to continue receiving vendor-grade security patches for as long as needed, giving them the flexibility to migrate at their own pace. This solution can be especially beneficial for businesses seeking a cost-effective way to maintain security in end-of-life systems. The ELS team had already patched this vulnerability in the HAProxy package, earlier in October 2023.
Broaden Impact of CVE-2023-44487
Furthermore, this vulnerability affects multiple packages that support the HTTP/2 protocol, including HAProxy, Nginx, Tomcat, and Apache. It’s crucial to update these packages to the latest versions that incorporate the necessary security patches.
TuxCare’s Endless Lifecycle Support (ELS) covers over 140 critical packages, including the Linux kernel, OpenSSL, glibc, HAProxy, Nginx, Tomcat, and Apache, Python, MySQL, and more. This extended support is available for a wide range of Linux distributions, including CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, Oracle Linux 6, Oracle Linux 7, Ubuntu 16.04, and Ubuntu 18.04.
For those managing end-of-life systems, TuxCare provides a valuable lifeline to continue receiving critical security updates without the need for costly or immediate migrations.
Source: USN-7067-1
Summary
Article Name
Addressing the HAProxy Vulnerability in End-of-Life Linux Systems
Description
Learn about the HAProxy vulnerability (CVE-2023-44487) and how to protect your end-of-life Linux systems with Endless Lifecycle Support.
Author
Rohan Timalsina
Publisher Name
TuxCare
Publisher Logo
________________________________________________
Here, we share the latest updates from the world of Cloud Hosting and the most relevant news from our business partners. Discover trends, innovations, and key opportunities shaping our industry. 💡🌐
Thank you for joining us on this journey. 💙 Explore with us and be part of the digital future!
