H2 DOS vulnerabilities (discovered by netflix). HAProxy Vulnerable?

Help!
1

Hello. I was reading about the h/2 DOS exploits published last night in the Nextflix security blog, while most CVE’s mention either Apache or Nginx, i was wondering how/if HAProxy is impacted by these and can’t seem to find much information, since its pretty new.

EDIT: I had already upgraded all nginx servers that sit behind HAProxy

Thanks for any information around updates and possible config mitigation… and as always for a great product.

2

In short: no, haproxy is not vulnerable and Willy Tarreau was indeed notified by Piotr Sikora.

A minor improvement is currently under development, but there is nothing vulnerable about the current code.

More about this on the mailing list:

https://www.mail-archive.com/haproxy@formilux.org/msg34717.html

1 Like
3

That was my 99% sure guess, thank for your confirming @lukastribus. Thank you for the link, i’ll check it out.