TPS-2021-001 CVE-2021-40346 - HA Proxy
Overview
This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs.
Description
Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE.
Actions taken by Joyent
The fix has been made available for upstream inclusion and has been deployed into our production environment.
The fix is also available to our software customers via manta and cloudapi image updates.
Any new updates/information will be posted in this advisory.
Actions You Need to Take
Triton Enterprise
The method for applying this fix to your on-premises software installation will be to update cloudapi to the the following image UUID using the release channel:
Triton Enterprise
- cloudapi
2aeb561c-5ff7-4978-bc30-fcd78aa244dd
MantaV1 - Update to the following from the release channel:
- mantav1-loadbalancer
1ddcde06-4a8e-4c98-80b2-796364326e46
MantaV2 - Update to the following from the release channel:
- mantav2-loadbalancer
3882d922-2b86-4ce2-874e-3ebe4996dc56 - mantav2-webapi
ffc7a597-3148-4e56-8d5d-31c27b9b8455
Support
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.