TPS-2021-001 CVE-2021-40346 - HA Proxy

Overview

This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs.

Description

Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE.

Actions taken by Joyent

The fix has been made available for upstream inclusion and has been deployed into our production environment.

The fix is also available to our software customers via manta and cloudapi image updates.

Any new updates/information will be posted in this advisory.

Actions You Need to Take

Triton Enterprise

The method for applying this fix to your on-premises software installation will be to update cloudapi to the the following image UUID using the release channel:

Triton Enterprise

  • cloudapi 2aeb561c-5ff7-4978-bc30-fcd78aa244dd

MantaV1 - Update to the following from the release channel:

  • mantav1-loadbalancer 1ddcde06-4a8e-4c98-80b2-796364326e46

MantaV2 - Update to the following from the release channel:

  • mantav2-loadbalancer 3882d922-2b86-4ce2-874e-3ebe4996dc56
  • mantav2-webapi ffc7a597-3148-4e56-8d5d-31c27b9b8455

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References