CVE-2022-0711 – CVE-2022-0711 is a denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2022-0711?

CVE-2022-0711 has a CVSS score of 7.5 (HIGH). CVE-2022-0711 is a denial-of-service vulnerability in HAProxy where specially crafted HTTP responses containing Set-Cookie2 headers can trigger an infinite loop, causing the service to become unresponsive. This affects HAProxy instances processing HTTP traffic, potentially impacting any organization using vulnerable versions as load balancers or reverse proxies. The vulnerability requires an attacker to send malicious responses that HAProxy processes.

📋 TL;DR

CVE-2022-0711 is a denial-of-service vulnerability in HAProxy where specially crafted HTTP responses containing Set-Cookie2 headers can trigger an infinite loop, causing the service to become unresponsive. This affects HAProxy instances processing HTTP traffic, potentially impacting any organization using vulnerable versions as load balancers or reverse proxies. The vulnerability requires an attacker to send malicious responses that HAProxy processes.

💻 Affected Systems

Products:

HAProxy

Versions: All versions before 2.4.18, 2.5.9, and 2.6.0

Operating Systems: All operating systems running HAProxy

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects HAProxy configurations processing HTTP traffic. TCP-only configurations are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete HAProxy service outage leading to denial of service for all backend applications, requiring manual restart and causing extended downtime.

🟠

Likely Case

HAProxy process consumes 100% CPU and becomes unresponsive, requiring restart and causing temporary service disruption.

🟢

If Mitigated

If proper network segmentation and input validation are in place, impact is limited to the HAProxy instance itself without affecting backend services.

🌐 Internet-Facing: HIGH - HAProxy is commonly deployed as an internet-facing load balancer, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control HTTP responses that HAProxy processes, which could be achieved through various means including compromised upstream servers or man-in-the-middle attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HAProxy 2.4.18, 2.5.9, or 2.6.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/cve-2022-0711

Restart Required: Yes

Instructions:

1. Download latest patched version from haproxy.org 2. Stop HAProxy service 3. Install new version 4. Restart HAProxy service 5. Verify functionality

🔧 Temporary Workarounds

Filter Set-Cookie2 Headers

all

Use HAProxy configuration to filter or block Set-Cookie2 headers

http-response del-header Set-Cookie2

Rate Limiting

all

Implement rate limiting on HTTP responses to limit potential DoS impact

stick-table type ip size 100k expire 30s store http_req_rate(10s)
tcp-request connection track-sc0 src
tcp-request connection reject if { src_http_req_rate gt 100 }

🧯 If You Can't Patch

Implement network segmentation to limit which systems can send HTTP responses to HAProxy
Deploy WAF or reverse proxy in front of HAProxy to filter malicious traffic

🔍 How to Verify

Check if Vulnerable:

Check HAProxy version with 'haproxy -v' and compare against affected versions (before 2.4.18, 2.5.9, 2.6.0)

Check Version:

haproxy -v | grep -o 'version [0-9.]*'

Verify Fix Applied:

Verify version is 2.4.18+, 2.5.9+, or 2.6.0+ and test with known exploit patterns

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
HAProxy process restarting frequently
Connection timeouts
Error logs showing processing loops

Network Indicators:

Unusual HTTP responses containing Set-Cookie2 headers
Traffic patterns causing HAProxy CPU spikes

SIEM Query:

source="haproxy.log" AND ("high cpu" OR "timeout" OR "loop")

📊 Metadata

CVE ID: CVE-2022-0711

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: March 2, 2022

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/security/cve/cve-2022-0711 Third Party Advisory
https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Patch,Third Party Advisory
https://www.debian.org/security/2022/dsa-5102 Third Party Advisory
https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html
https://access.redhat.com/security/cve/cve-2022-0711 Third Party Advisory
https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Patch,Third Party Advisory
https://www.debian.org/security/2022/dsa-5102 Third Party Advisory
https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0711, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Haproxy by Haproxy

Haproxy by Haproxy

Haproxy by Haproxy

Openshift Container Platform by Redhat

Software Collections by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Filter Set-Cookie2 Headers

Rate Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities