CVE-2022-0711 Overview
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This vulnerability exists in HAProxy's HTTP response parsing logic, specifically in how it handles the deprecated Set-Cookie2 header. An attacker can send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability, as it can completely disrupt load balancing operations for affected infrastructure.
Critical Impact
This vulnerability allows remote attackers to cause a complete denial of service on HAProxy instances by triggering an infinite loop through specially crafted HTTP responses containing Set-Cookie2 headers, potentially disrupting all traffic routed through affected load balancers.
Affected Products
- HAProxy (versions prior to the security fix)
- Red Hat OpenShift Container Platform 4.0
- Red Hat Software Collections
- Red Hat Enterprise Linux 7.0 and 8.0
- Debian Linux 11.0
Discovery Timeline
- 2022-03-02 - CVE-2022-0711 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0711
Vulnerability Analysis
This vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The flaw exists in HAProxy's HTTP response processing code, specifically in the http_manage_server_side_cookies function within src/http_ana.c. When HAProxy processes HTTP responses, it iterates through cookie headers to perform various operations. The vulnerability occurs when the code searches for Set-Cookie2 headers after processing Set-Cookie headers, but fails to properly track that it has already switched to searching for Set-Cookie2, causing the loop to restart indefinitely.
The vulnerability can be exploited remotely over the network without any authentication or user interaction required. An attacker controlling a backend server, or able to inject HTTP responses through other means, can craft malicious HTTP responses that trigger this condition. Since HAProxy is typically deployed as a critical load balancer in front of web applications, a successful attack would deny service to all applications behind the affected HAProxy instance.
Root Cause
The root cause lies in improper state management within the cookie header parsing loop. When the code transitions from searching for "Set-Cookie" headers to "Set-Cookie2" headers, it fails to properly track the is_cookie2 state flag. This causes the http_find_header function to be called repeatedly with the same parameters in an unbounded loop, never reaching the exit condition. The loop was designed to process both types of cookie headers sequentially, but the logic error prevents proper progression through the headers.
Attack Vector
The attack vector involves sending HTTP responses with crafted Set-Cookie2 headers to a backend server that HAProxy is proxying. When HAProxy processes this response to forward it to the client, it enters the infinite loop. This is a network-based attack that requires no privileges or user interaction:
- Attacker controls or compromises a backend server behind HAProxy
- Backend server sends an HTTP response containing a Set-Cookie2 header
- HAProxy's http_manage_server_side_cookies function processes the response
- The cookie parsing loop enters an infinite loop condition
- HAProxy process becomes unresponsive, denying service to all clients
// Security patch from HAProxy commit bfb15ab
// This fix ensures the is_cookie2 flag is checked before searching for Set-Cookie headers
// to prevent the loop from restarting after switching to Set-Cookie2 processing
while (1) {
int is_first = 1;
- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
break;
is_cookie2 = 1;
Source: GitHub HAProxy Commit
Detection Methods for CVE-2022-0711
Indicators of Compromise
- HAProxy processes consuming 100% CPU with no corresponding increase in legitimate traffic
- HAProxy instances becoming unresponsive to health checks
- Backend server logs showing responses with Set-Cookie2 headers that coincide with HAProxy failures
- Sudden service unavailability for all applications behind HAProxy
Detection Strategies
- Monitor HAProxy process CPU utilization for sustained 100% usage patterns that indicate infinite loop conditions
- Implement health check monitoring that alerts when HAProxy fails to respond within expected timeframes
- Analyze HTTP response headers from backend servers for the presence of Set-Cookie2 headers, particularly from untrusted or newly added backends
- Deploy network traffic analysis to detect unusual patterns in responses flowing through HAProxy
Monitoring Recommendations
- Configure alerts for HAProxy process hangs or excessive CPU consumption using monitoring tools like Prometheus, Nagios, or Datadog
- Enable HAProxy access logging and monitor for timeout errors that might indicate processing issues
- Implement automated HAProxy restart mechanisms with alerting to detect repeated crash/restart cycles
- Use distributed tracing to identify requests that coincide with HAProxy unresponsiveness
How to Mitigate CVE-2022-0711
Immediate Actions Required
- Update HAProxy to a patched version that includes commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
- For Red Hat systems, apply security updates from Red Hat Security Advisory
- For Debian systems, apply security updates from DSA-5102
- Review backend server configurations to identify any that may be sending Set-Cookie2 headers
- Consider implementing HAProxy process monitoring with automatic restart capabilities as a temporary measure
Patch Information
The vulnerability has been patched in HAProxy through commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8. The fix adds a check for the is_cookie2 flag at the beginning of each loop iteration, ensuring that once the code switches to processing Set-Cookie2 headers, it doesn't attempt to search for Set-Cookie headers again. This prevents the infinite loop condition.
Vendor-specific patches are available:
- Red Hat CVE Advisory - For RHEL, OpenShift, and Software Collections
- Debian Security Advisory DSA-5102 - For Debian Linux 11.0
Workarounds
- If immediate patching is not possible, consider implementing a Web Application Firewall (WAF) rule to filter responses containing Set-Cookie2 headers before they reach HAProxy
- Deploy HAProxy process monitoring that automatically restarts the service when CPU usage exceeds normal thresholds for extended periods
- Implement load balancer redundancy with health checks to automatically failover to backup HAProxy instances
- Review and restrict which backend servers can respond through HAProxy to limit potential attack vectors
# Check HAProxy version and verify patch status
haproxy -v
# For RHEL/CentOS systems, update HAProxy
sudo yum update haproxy
# For Debian/Ubuntu systems, update HAProxy
sudo apt-get update && sudo apt-get upgrade haproxy
# Verify the running version after update
systemctl status haproxy
haproxy -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
