You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by "Riepl, Gregor (SWISS TXT)" <Gr...@swisstxt.ch> on 2021/09/10 12:21:36 UTC

CVE-2021-40346 (haproxy 2.x)

Hi,

Are you aware of https://nvd.nist.gov/vuln/detail/CVE-2021-40346 ?
Haproxy 2.0 through 2.5 has a vulnerability that can be exploited to smuggle requests to backend systems.

If the CloudStack VR is using one of these versions, it should be patched everywhere ASAP.

Regards,
Greg

Re: CVE-2021-40346 (haproxy 2.x)

Posted by Rohit Yadav <ro...@shapeblue.com>.

Thanks for the heads up Gregor, we'll rebuild systemvmtemplates for 4.16/main branch.

Regards.

________________________________
From: Wei ZHOU <us...@gmail.com>
Sent: Friday, September 10, 2021 18:28
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: Re: CVE-2021-40346 (haproxy 2.x)

Hi Greg,

Thanks for the info. It is good that our systemvm templates are not
impacted.

CloudStack 4.15.1 systemvm template uses haproxy 1.8.19. CloudStack 4.16
systemvm template uses haproxy 2.2.9, but it is not officially released yet.

-Wei

On Fri, 10 Sept 2021 at 14:22, Riepl, Gregor (SWISS TXT) <
Gregor.Riepl@swisstxt.ch> wrote:

> Hi,
>
> Are you aware of https://nvd.nist.gov/vuln/detail/CVE-2021-40346 ?
> Haproxy 2.0 through 2.5 has a vulnerability that can be exploited to
> smuggle requests to backend systems.
>
> If the CloudStack VR is using one of these versions, it should be patched
> everywhere ASAP.
>
> Regards,
> Greg
>

Re: CVE-2021-40346 (haproxy 2.x)

Posted by Wei ZHOU <us...@gmail.com>.

Hi Greg,

Thanks for the info. It is good that our systemvm templates are not
impacted.

CloudStack 4.15.1 systemvm template uses haproxy 1.8.19. CloudStack 4.16
systemvm template uses haproxy 2.2.9, but it is not officially released yet.

-Wei

On Fri, 10 Sept 2021 at 14:22, Riepl, Gregor (SWISS TXT) <
Gregor.Riepl@swisstxt.ch> wrote:

> Hi,
>
> Are you aware of https://nvd.nist.gov/vuln/detail/CVE-2021-40346 ?
> Haproxy 2.0 through 2.5 has a vulnerability that can be exploited to
> smuggle requests to backend systems.
>
> If the CloudStack VR is using one of these versions, it should be patched
> everywhere ASAP.
>
> Regards,
> Greg
>