CVE-2022-0711
First published: Fri Feb 11 2022(Updated: )
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/haproxy | 1.8.19-1+deb10u3 1.8.19-1+deb10u4 2.2.9-2+deb11u5 2.6.12-1 2.6.15-1 | |
| redhat/haproxy | <0:2.0.16-3.el7 | 0:2.0.16-3.el7 |
| redhat/haproxy | <0:2.0.19-3.el7 | 0:2.0.19-3.el7 |
| redhat/haproxy | <0:2.2.13-3.el8 | 0:2.2.13-3.el8 |
| redhat/haproxy | <0:2.2.15-4.el8 | 0:2.2.15-4.el8 |
| redhat/haproxy | <2.5.2 | 2.5.2 |
| Haproxy Haproxy | >=2.2.0<2.2.21 | |
| Haproxy Haproxy | >=2.3.0<2.3.18 | |
| Haproxy Haproxy | >=2.4.0<2.4.13 | |
| Red Hat OpenShift Container Platform | =4.0 | |
| Redhat Software Collections | ||
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Debian Debian Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/cve-2022-0711
- https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- https://www.debian.org/security/2022/dsa-5102
- https://www.mail-archive.com/haproxy@formilux.org/msg41833.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2053666
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- https://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=86032c309b1f42177826deaa39f7c26903a074ca
- https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=eb1bdcb7cf6e7bd1690f7dcc6d97de3d79b54cdc
- https://security-tracker.debian.org/tracker/CVE-2022-0711
- https://www.cve.org/CVERecord?id=CVE-2022-0711 https://nvd.nist.gov/vuln/detail/CVE-2022-0711 https://www.mail-archive.com/haproxy@formilux.org/msg41833.html
- https://access.redhat.com/errata/RHSA-2022:1620
- https://access.redhat.com/errata/RHSA-2022:1336
- https://access.redhat.com/errata/RHSA-2022:1153
- https://access.redhat.com/errata/RHSA-2022:1021
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2059440
- https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this flaw in HAProxy?
The vulnerability ID is CVE-2022-0711.
How does this vulnerability affect HAProxy?
This vulnerability can lead to a denial of service condition in HAProxy.
What is the severity of CVE-2022-0711?
The severity of CVE-2022-0711 is high with a severity value of 7.
What software versions of HAProxy are affected by this vulnerability?
HAProxy versions up to 2.5.1 are affected by this vulnerability.
How can I fix CVE-2022-0711 in HAProxy?
To fix CVE-2022-0711, update HAProxy to version 2.5.2 or later.
- collector/security-tracker-debian
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-0711
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/event
- agent/trending
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- agent/tags
- agent/softwarecombine
- agent/source
- package-manager/debian
- package-manager/redhat
- vendor/haproxy
- canonical/haproxy haproxy
- version/haproxy haproxy/2.2.0
- version/haproxy haproxy/2.3.0
- version/haproxy haproxy/2.4.0
- vendor/redhat
- canonical/red hat openshift container platform
- version/red hat openshift container platform/4.0
- canonical/redhat software collections
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0