Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocmh4LTZoMzQtajVoY80sbQ
Skip the router TLS configuration when the host header is an FQDN
Impact
People that configure mTLS between Traefik and clients.
For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration.
-
When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one.
-
If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration.
Patches
Traefik v2.6.x: https://github.com/traefik/traefik/releases/tag/v2.6.1
Workarounds
Add the FDQN to the host rule:
Example:
whoami:
image: traefik/whoami:v1.7.1
labels:
traefik.http.routers.whoami.rule: Host(`whoami.example.com`, `whoami.example.com.`)
traefik.http.routers.whoami.tls: true
traefik.http.routers.whoami.tls.options: mtls@file
There is no workaround if the CNAME flattening is enabled.
For more information
If you have any questions or comments about this advisory, please open an issue.
Permalink: https://github.com/advisories/GHSA-hrhx-6h34-j5hcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocmh4LTZoMzQtajVoY80sbQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-hrhx-6h34-j5hc, CVE-2022-23632
References:
- https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc
- https://nvd.nist.gov/vuln/detail/CVE-2022-23632
- https://github.com/traefik/traefik/pull/8764
- https://github.com/traefik/traefik/releases/tag/v2.6.1
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-hrhx-6h34-j5hc
Blast Radius: 12.7
Affected Packages
go:github.com/traefik/traefik/v2
Dependent packages: 44Dependent repositories: 52
Downloads:
Affected Version Ranges: < 2.6.1
Fixed in: 2.6.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0
All unaffected versions: 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.11.0, 2.11.1, 2.11.2