CVE-2023-20882: Gorouter pruning via client disconnect resulting in DOS | Cloud Foundry

Severity

High

Vendor

Cloud Foundry Foundation

Description

A bug in the gorouter process for the versions from 0.262.0 and prior to 0.266.0 of routing-release can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool. It then retries up to two more times on different backends, also marking them as failed and removing them from the routing pool. When done repeatedly, this can remove all backends from an application’s route.

This issue may be mitigated in some environments, depending on the configuration of any load balancing/proxying layers present between the client + gorouter.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

• Routing
  • All versions from 0.262.0 and prior to 0.266.0
• CF Deployment
  • All versions from 27.4.0 and through 28.2.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• Routing
  • Upgrade all versions to 0.266.0 or greater
  • All other stemcells should be upgraded to the latest version available on bosh.io.
• CF Deployment
  • Upgrade all versions to 29.0.0 or greater

Credit

This issue was responsibly reported by Geoff Franks.

History

2023-05-22: Initial vulnerability report published.