製品・ソフトウェアに関する情報

JVN脆弱性詳細

HAProxy におけるサービス運用妨害 (DoS) の脆弱性

Title	HAProxy におけるサービス運用妨害 (DoS) の脆弱性
Summary	HAProxy には、MAX_HDR_HISTORY 変数に関する処理に不備があるため、負の発生回数 (negative occurrence count) を伴う hdr_ip、またはその他の hdr_* 関数を使用するように設定している場合、サービス運用妨害 (負の配列インデックスの使用およびクラッシュ) 状態にされる脆弱性が存在します。
Possible impacts	第三者により、値が特定の数値の HTTP ヘッダを介して、サービス運用妨害 (負の配列インデックスの使用およびクラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 17, 2013, midnight
Registration Date	Aug. 20, 2013, 4:32 p.m.
Last Update	Aug. 20, 2013, 4:32 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

レッドハット

Red Hat Enterprise Linux Load Balancer 6.0

Red Hat Enterprise Linux Load Balancer EUS 6.4

Canonical

Ubuntu 12.04 LTS

Ubuntu 12.10

Ubuntu 13.04

Willy Tarreau

HAProxy 1.4.24 未満の 1.4

HAProxy 1.5-dev19 未満の 1.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-2175	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2175
National Vulnerability Database (NVD)
2	CVE-2013-2175	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2175

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-16	https://jvndb.jvn.jp/ja/cwe/CWE-16.html

ベンダー情報

No	Name	URL
HAProxy
1	[ANNOUNCE] haproxy-1.5-dev19 and 1.4.24 (security update)	http://marc.info/?l=haproxy&m=137147915029705&w=2
Red Hat Bugzilla
2	Bug 974259	https://bugzilla.redhat.com/show_bug.cgi?id=974259
Red Hat Security Advisory
3	RHSA-2013:1120	http://rhn.redhat.com/errata/RHSA-2013-1120.html
Ubuntu Security Notice
4	USN-1889-1	http://www.ubuntu.com/usn/USN-1889-1/

Change Log

No	Changed Details	Date of change
0	[2013年08月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-2175

Summary	HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.
Publication Date	Aug. 19, 2013, 10:07 p.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:51 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:6.0:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:13.04:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:redhat:enterprise_linux_load_balancer:6.4:::::::*
cpe:2.3:a:redhat:enterprise_linux_load_balancer:6.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:haproxy:haproxy:1.4.18:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.5:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.11:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.10:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.1:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.7:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.21:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.4:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.19:::::::*
cpe:2.3:a:haproxy:haproxy:1.4:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.2:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.20:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.13:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.23:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.16:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.8:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.14:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.17:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.22:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.0:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.3:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.12:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.9:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.6:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.15:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:haproxy:haproxy:1.5:dev7::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev4::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev1::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev10::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev6::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev15::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev13::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev16::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev12::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev3::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev0::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev18::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev9::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev2::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev8::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev17::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev11::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev5::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev14::::::

Related information, measures and tools

No	URL	タグ
1	http://marc.info/?l=haproxy&m=137147915029705&w=2	Patch Third Party Advisory
2	http://marc.info/?l=haproxy&m=137147915029705&w=2	Patch Third Party Advisory
3	http://rhn.redhat.com/errata/RHSA-2013-1120.html	Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2013-1120.html	Third Party Advisory
5	http://rhn.redhat.com/errata/RHSA-2013-1204.html	Third Party Advisory
6	http://rhn.redhat.com/errata/RHSA-2013-1204.html	Third Party Advisory
7	http://secunia.com/advisories/54344
8	http://secunia.com/advisories/54344
9	http://www.debian.org/security/2013/dsa-2711	Third Party Advisory
10	http://www.debian.org/security/2013/dsa-2711	Third Party Advisory
11	http://www.ubuntu.com/usn/USN-1889-1	Third Party Advisory
12	http://www.ubuntu.com/usn/USN-1889-1	Third Party Advisory
13	https://bugzilla.redhat.com/show_bug.cgi?id=974259	Issue Tracking
14	https://bugzilla.redhat.com/show_bug.cgi?id=974259	Issue Tracking

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html
2	CWE-284	不適切なアクセス制御	https://cwe.mitre.org/data/definitions/284.html

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:haproxy:haproxy:1.4.18:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.5:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.11:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.10:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.1:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.7:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.21:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.4:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.19:::::::*
cpe:2.3:a:haproxy:haproxy:1.4:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.2:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.20:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.13:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.23:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.16:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.8:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.14:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.17:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.22:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.0:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.3:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.12:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.9:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.6:::::::*
cpe:2.3:a:haproxy:haproxy:1.4.15:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:haproxy:haproxy:1.5:dev7::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev4::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev1::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev10::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev6::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev15::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev13::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev16::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev12::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev3::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev0::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev18::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev9::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev2::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev8::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev17::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev11::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev5::::::
cpe:2.3:a:haproxy:haproxy:1.5:dev14::::::