Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2018-1221: Gorouter websocket handling vulnerability

by: February 13, 2018

CVE-2018-1221: Gorouter websocket handling vulnerability

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • cf-deployment
    • All versions prior to 1.14.0
  • routing-release
    • All versions prior to 0.172.0

Description

The Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • cf-deployment: 1.14.0
    • routing-release: 0.172.0

References

Credit

This issue was responsibly reported by the Volkswagen Digital:Lab Platform Team.

History

2018-02-13: Initial vulnerability report published, versions clarified, credit added.

2018-02-14: Versions clarified.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3249-2: Linux kernel (Xenial HWE) vulnerability
Security Advisory

USN-3249-2: Linux kernel (Xenial HWE) vulnerability

by Cloud Foundry Foundation Security Team March 31, 2017
CVE-2017-8047: Cloud Foundry router open redirect
Security Advisory

CVE-2017-8047: Cloud Foundry router open redirect

by Cloud Foundry Foundation Security Team September 25, 2017
USN-3885-1: OpenSSH vulnerabilities
Security Advisory

USN-3885-1: OpenSSH vulnerabilities

by Cloud Foundry Foundation Security Team February 15, 2019
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept