CVE-2022-39271 Traefik is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a vulnerability in Traefik's management of HTTP/2 connections.

When using Traefik as an HTTP/2 proxy, it is possible to accidentally close an open connection. The HTTP/2 specification requires all connections to be closed after a given time, or when explicitly closed by the client. In an instance where the client is a reverse proxy like Traefik, the connection is still open and active on the proxy, so it is possible for the proxy to hang indefinitely due to a fatal error. This is due to an implicit close in the proxy code. There is currently no known workaround for this.

CVE-2023-39273

When using Traefik as an HTTP/2 proxy, it is possible for the client to intentionally close a connection. This causes the proxy to hang indefinitely due to an implicit close in the proxy code. There is currently no known workaround for this.

CVE-2022-39272

When using Traefik as an HTTP/2 proxy, it is possible to accidentally close an open connection. The HTTP/2 specification requires all connections to be closed after a given time, or when explicitly closed by the client. In an instance where the client is a reverse proxy like Traefik, the connection is still open and active on the proxy, so it is possible for the proxy to hang indefinitely due to a fatal error. This is due to an implicit close in the proxy code. There is currently no known workaround for this.

Vulnerability Title: Docker API Connection Aborts with an Internal Server Error

The vulnerability is called CVE-2022-39271, and it has been assigned a severity rating of high.

This vulnerability could lead to an HTTP/2 connection hanging indefinitely, leaving the proxy unable to handle any traffic.

CVE-2023-39272

When using Traefik as a reverse proxy, it is possible for the client to be tricked into using an existing connection instead of the new HTTP/2 one. This could cause an error in the server's implementation of HTTP/2, or might lead to a Denial Of Service (DoS) attack.

Timeline

Published on: 10/11/2022 14:15:00 UTC
Last modified on: 10/13/2022 16:39:00 UTC

References