Bug/Confirmed: Improperly defined attributes in TLS configuration may expose router with empty TLS config


Issue 9557 has been fixed with Traefik Proxy v2.9.6. You can find the CVE here. This fix changes the way to manage misconfigured TLS Options: if your TLS settings are currently misconfigured, this update will block the impacted routers from getting exposed.

We took advantage of this to fix 2 additional vulnerabilities that affected us:

  1. The first is Authorization Header Displayed in Debug. With this vulnerability, when you use Traefik with one of 4 middlewares (identified here), your credentials could be displayed in the logs when in debug mode. To remedy this we have stopped displaying the oxy logs.

  2. We updated the golang.org/x/net library to address this CVE which could allow an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests.

On November 29th, our team discovered a bug with security implications this week. We are currently working on a fix and will update this forum topic with any news and the CVE information.

What happens?

If any attribute of your TLS configuration is not defined correctly, rather than failing the router configuration or applying the default configuration, the router will be exposed using an empty TLS configuration.

This can happen by simply mistyping the name or value of any of your TLSOptions.

How do I know if I am affected?

You will know you are affected by checking the logs. This will return one of these errors:

invalid certificate(s)
invalid clientAuthType
unknown client auth type
invalid CipherSuite
invalid CurveID in curvePreferences
failed to get cert file content
failed to get key file content
failed to load X509 key pair

How likely am I to have been affected?

If you are following best practices, it is unlikely you are affected as the error is shown when you validate your configuration.

When will this be addressed?

Our team is currently working on a fix and expects to be able to deploy it next week.