Vulnerability Description
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haproxy | Haproxy | <= 1.8.14 |
| Canonical | Ubuntu Linux | 18.04 |
| Redhat | Openshift | 3.10 |
| Redhat | Openshift Container Platform | 3.9 |
| Redhat | Enterprise Linux | 7.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHBA-2019:0028
- https://access.redhat.com/errata/RHSA-2018:2882Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14645Issue TrackingMitigationThird Party Advisory
- https://usn.ubuntu.com/3780-1/Third Party Advisory
- https://www.mail-archive.com/haproxy%40formilux.org/msg31253.html
- https://access.redhat.com/errata/RHBA-2019:0028
- https://access.redhat.com/errata/RHSA-2018:2882Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14645Issue TrackingMitigationThird Party Advisory
- https://usn.ubuntu.com/3780-1/Third Party Advisory
- https://www.mail-archive.com/haproxy%40formilux.org/msg31253.html
FAQ
What is CVE-2018-14645?
CVE-2018-14645 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.
How severe is CVE-2018-14645?
CVE-2018-14645 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-14645?
Check the references section above for vendor advisories and patch information. Affected products include: Haproxy Haproxy, Canonical Ubuntu Linux, Redhat Openshift, Redhat Openshift Container Platform, Redhat Enterprise Linux.