Last Modified: Nov 07, 2023
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 188.8.131.52, 184.108.40.206, 16.1.3, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 17.0.0, 184.108.40.206, 220.127.116.11, 17.1.0, 18.104.22.168, 22.214.171.124, 126.96.36.199
Opened: Jul 22, 2022 Severity: 4-Minor
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature. When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Connection is reset with "Address in use" reset cause.
-- HTTP Virtual server -- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE