CVE-2022-23632: Mutual TLS Configurations

On February 9th, a security vulnerability (CVE-2022-23632) was reported to us. Only Traefik Proxy and Enterprise users employing mutual TLS for client authentication are affected. This vulnerability allows TLS configuration to differ from what is specified in the router, which can lead to the use of a configuration with lower security restrictions than were originally intended, potentially exposing the router to external attacks.

We have identified two configurations where a user’s TLS protocols may be different than intended:

  1. When the request uses an FQDN, the default TLS configuration is used instead.
  2. When --hostresolver.cnameflattening is enabled, the TLS configuration is selected based on the SNI request instead of the CNAME request.

We have deployed a patch to resolve this vulnerability. Traefik Proxy users can deploy Traefik Proxy 2.6.1 and Traefik Enterprise users can deploy Traefik Enterprise 2.5.7. Please note that you must be upgraded to the latest version of Traefik Proxy or Enterprise to deploy this patch.

Visit this GitHub page for an in-depth explanation of the CVE report.

If you have any questions or if you encounter any problems deploying the patch, please ask here (for Traefik Proxy users), or reach out to Traefik Labs Support (for Traefik Enterprise customers).