Severity
High
Vendor
Cloud Foundry Foundation
Description
Various Cloud Foundry components are written in Go and are therefore vulnerable to a denial of service attack. Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
Affected Cloud Foundry Products and Versions
- CF Deployment
- All versions prior to v12.15.0
- CF NFS volume release
- 2.3 versions prior to v2.3.2
- 1.7 versions prior to v1.7.12
- 5.0 versions prior to v5.0.1
- mapfs
- All versions prior to v1.2.1
- Log Cache
- 2.1 versions prior to v2.1.11
- CAPI
- All versions prior to 1.88.0
- Silk CNI Plugin
- All versions prior to 2.27.0
- CF Networking
- All versions prior to 2.27.0
- BOSH DNS
- All versions prior to v1.15.0
- Statsd Injector
- All versions prior to v1.11.1
- Loggregator Agent
- 2.x versions prior to v2.3.4
- 3.x versions prior to v3.21.4
- Syslog Drain
- All versions prior to v8.2.3
- Loggregator
- 105 versions prior to v105.6.2
- 103 versions prior to v103.4.3
- Xenial Stemcells
- 97 versions prior to 97.187
- 170 versions prior to 170.162
- 250 versions prior to 250.142
- 315 versions prior to 315.126
- 456 versions prior to 456.51
- CF CLI Release
- v1.x versions prior to v1.22.0
- Diego
- All versions prior to v2.40.0
- Syslog
- All versions prior to v11.6.0
- Garden-runC
- All versions prior to v1.19.9
- SMB Volume
- All versions prior to v2.0.4
- Routing
- All versions prior to 0.195.0
- Leadership Election
- 1.0 versions prior to v1.4.2
- CF CLI
- 6.x versions prior to v6.47.2
- 7.x versions prior to v7.0.0-beta.27
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- CF Deployment
- Upgrade All versions to v12.15.0 or greater
- CF NFS volume release
- Upgrade 2.3 versions to v2.3.2 or greater
- Upgrade 1.7 versions to v1.7.12 or greater
- Upgrade 5.0 versions to v5.0.1 or greater
- mapfs
- Upgrade All versions to v1.2.1 or greater
- Log Cache
- Upgrade 2.1 versions to v2.1.11 or greater
- CAPI
- Upgrade All versions to 1.88.0 or greater
- Silk CNI Plugin
- Upgrade All versions to 2.27.0 or greater
- CF Networking
- Upgrade All versions to 2.27.0 or greater
- BOSH DNS
- Upgrade All versions to v1.15.0 or greater
- Statsd Injector
- Upgrade All versions to v1.11.1 or greater
- Loggregator Agent
- Upgrade 2.x versions to v2.3.4 or greater
- Upgrade 3.x versions to v3.21.4 or greater
- Syslog Drain
- Upgrade All versions to v8.2.3 or greater
- Loggregator
- Upgrade 105 versions to v105.6.2 or greater
- Upgrade 103 versions to v103.4.3 or greater
- Xenial Stemcells
- Upgrade 97 versions to 97.187 or greater
- Upgrade 170 versions to 170.162 or greater
- Upgrade 250 versions to 250.142 or greater
- Upgrade 315 versions to 315.126 or greater
- Upgrade 456 versions to 456.51 or greater
- CF CLI Release
- Upgrade v1.x versions to v1.22.0 or greater
- Diego
- Upgrade All versions to v2.40.0 or greater
- Syslog
- Upgrade All versions to v11.6.0 or greater
- Garden-runC
- Upgrade All versions to v1.19.9 or greater
- SMB Volume
- Upgrade All versions to v2.0.4 or greater
- Routing
- Upgrade All versions to 0.195.0 or greater
- Leadership Election
- Upgrade 1.0 versions to v1.4.2 or greater
- CF CLI
- Upgrade 6.x versions to v6.47.2 or greater
- Upgrade 7.x versions to v7.0.0-beta.27 or greater
History
2019-12-16: Initial vulnerability report published.