Is Traefik affected by the latest HTTP/2 DoS "Continuation flood"?

Traefik Traefik v2
1

The latest HTTP/2 DoS seems to affect Go and seems to affect the same products as the last years HTTP/2 "Rapid Reset".

CVE-2023-45288

So just wondering if there is going to be a fix or a statement that it doenst affect traefik proxy.

3 Likes
2

hoping we can get an answer on this soon.

3

I'm eagerly waiting for this one as well. I definitely expect Traefik to be vulnerable and await releases for 2.10.x and 2.11.x. Of course, building your own release with a recent/fixed Go would do the trick as well, but a central release makes it easier for everyone.

4

Maybe @emile , @nicomengin , @svx or @ldez have some insights?

5

A release will happen quickly.

6

Looks like v2.11.1 is out now which uses golang 1.22.2 and x/net 0.24.0 which include patches for that CVE: Release v2.11.1 · traefik/traefik · GitHub
net/http, x/net/http2: close connections when receiving too many headers · CVE-2023-45288 · GitHub Advisory Database · GitHub

7

It would be nice if the CVE was mentioned in the release notes. That would make vulnerability management much easier from end user organization point of view..

2 Likes
8

I'm also surprised a bit that seemingly the security mailinglist as mentioned on Security Overview · traefik/traefik · GitHub is not used anymore. Last post from 2022, although the referenced CVE search (CVE - Search Results) mentions traefik 4 times in 2023 - but no mentions for this one, which of course is caused in Go, but still relevant for traefik.

2 Likes
9

I agree, the handling of this issue feels kind of disappointing:

  1. It took Traefik 4 days to respond on the forum
  2. It took 2 more days for a patch release
  3. Traefik didn't announce the patch here by themself
  4. The release was not explicitly documented with the CVE
  5. The patch release was intermingled with other updates

What would I have expected:

  1. Traefik to monitor CVE for their dependencies
  2. Traefik to create an own issue, so others can see it
  3. Traefik to update dependencies and create a new patch release
  4. Document the CVE in the release notes

This is of course a dream scenario, I don't know what happened in the background, I don't know if the updated dependencies also required code change, but I wish the communication had been handled better. Especially as I expect that a similar update was required for Traefik CE and EE.

2 Likes
10

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

11

Hello there,

As mentioned in a previous message, we have released Traefik v2.11.2 and v3.0.0-rc5 that embed the bug fix on top of another CVE fix (more details here).

Sorry for the delay, we were waiting for the CVE-2024-28869 to be fixed before communicating on both CVEs.

1 Like