Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2016-3091 Diego log encoding vulnerability

CVE-2016-3091 Diego log encoding vulnerability

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

Diego-release versions 0.1468.0 through 0.1470.0

Description

Due to how Diego handles breaking up large log streams on UTF-8 boundaries, it is possible to cause a denial of service on a Cloud Foundry installation with an app outputting malformed UTF-8 sequences.

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Deployments running Diego versions 0.1468.0 through 0.1470.0 upgrade to Diego version 0.1471.0

Credit

This issue was identified by a VMware team and reported responsibly to the Cloud Foundry Foundation.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES