CVE-2024-49214

Publication date 14 October 2024

Last updated 6 November 2024


Ubuntu priority

QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.

Read the notes from the security team

Status

Package Ubuntu Release Status
haproxy 24.10 oracular
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected

Notes


mdeslaur

Per the CVE description, this affects 2.9.x+, per the commit description, this affects 2.6+. As of 2024-10-29, there is no backport to 2.8.x available. The fix consists of providing a token to the client each time it successfully managed to connect to haproxy. The token code is only enabled if HAVE_SSL_0RTT_QUIC is set, which is only set when aws-lc and perhaps boringssl is being used as the ssl backend. In Ubuntu, packages are built with OpenSSL, so the QUIC support doesn't handle 0RTT and hence packages are not vulnerable.