GHSA-HRHX-6H34-J5HC

Vulnerability from github – Published: 2022-02-16 22:30 – Updated: 2022-02-16 22:30
VLAI?
Summary
Skip the router TLS configuration when the host header is an FQDN
Details

Impact

People that configure mTLS between Traefik and clients.

For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration.

  • When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one.

  • If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration.

Patches

Traefik v2.6.x: https://github.com/traefik/traefik/releases/tag/v2.6.1

Workarounds

Add the FDQN to the host rule:

Example:

  whoami:
    image: traefik/whoami:v1.7.1
    labels:
      traefik.http.routers.whoami.rule: Host(`whoami.example.com`, `whoami.example.com.`)
      traefik.http.routers.whoami.tls: true
      traefik.http.routers.whoami.tls.options: mtls@file

There is no workaround if the CNAME flattening is enabled.

For more information

If you have any questions or comments about this advisory, please open an issue.

Severity ?
7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-16T22:30:57Z",
    "nvd_published_at": "2022-02-17T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nPeople that configure mTLS between Traefik and clients.\n\nFor a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration.\n\n- When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one.\n\n- If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration.\n\n### Patches\n\nTraefik v2.6.x: https://github.com/traefik/traefik/releases/tag/v2.6.1\n\n### Workarounds\n\nAdd the FDQN to the host rule:\n\nExample:\n\n```yml\n  whoami:\n    image: traefik/whoami:v1.7.1\n    labels:\n      traefik.http.routers.whoami.rule: Host(`whoami.example.com`, `whoami.example.com.`)\n      traefik.http.routers.whoami.tls: true\n      traefik.http.routers.whoami.tls.options: mtls@file\n```\n\nThere is no workaround if the CNAME flattening is enabled.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n",
  "id": "GHSA-hrhx-6h34-j5hc",
  "modified": "2022-02-16T22:30:57Z",
  "published": "2022-02-16T22:30:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23632"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/pull/8764"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.6.1"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Skip the router TLS configuration when the host header is an FQDN"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.