Update on HAproxy HTTP/2 HPACK Decoder Vulnerability (2 April 2020)

Update on HAproxy HTTP/2 HPACK Decoder Vulnerability (2 April 2020)

Security Updated on 1 min

A critical vulnerability in HAProxy’s HTTP/2 HPACK decoder in versions 1.8 and above has been discovered. You can read the blog HAProxy posted today which details the vulnerability and how it's been fixed.

This does not impact the majority of Loadbalancer.org's customers

We'd like to assure Loadbalancer.org's partners and customers – the vast majority of you will not be affected by this vulnerability. We have already contacted the small number of customers we think might be affected by this.

HAProxy confirmed the vulnerability was discovered on 24 March, fixed on 30 March and made public today. As our products use HAProxy, we were notified in advance, which enabled us to test the patch with our appliance and hotfix before the issue was made public.

If you have any further concerns about this, please email support@loadbalancer.org.