On April 2, 2020, details were made public about a security flaw that impacts systems running the HAProxy component when HTTP/2 support is enabled. Before the flaws were publicly disclosed, Red Hat worked to determine the impact to our customers for hosted services that use HAProxy - including OpenShift Dedicated, OpenShift Online, and Azure Red Hat OpenShift. We have verified that none of these managed services are using the vulnerable HAProxy configuration.
For more information on this vulnerability, see CVE-2020-11100 and Red Hat’s vulnerability article.
Questions about the vulnerability can be asked via Red Hat Support. For questions about how this vulnerability affects Azure Red Hat OpenShift, please contact Microsoft Support.
Red Hat OpenShift SRE Security Team