Lucene search

K
cloudfoundryCloud FoundryCFOUNDRY:BFC28EFEE9A9ABA8EC627AB7942BCFD7
HistoryJul 15, 2020 - 12:00 a.m.

CVE-2020-15586: Gorouter is vulnerable to DoS Attack via Expect: 100-continue requests | Cloud Foundry

2020-07-1500:00:00
Cloud Foundry
www.cloudfoundry.org
16

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.01 Low

EPSS

Percentile

83.3%

Severity

High

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry Routing Release, versions prior to 0.203.0, allows a malicious client to cause the Gorouter to crash by sending specially crafted HTTP requests that include the “Expect: 100-continue” header. The Gorouter is vulnerable due to an underlying vulnerability within the Go standard library. The issue has been assigned identifier CVE-2020-15586 and has been fixed in the following security patches of Go: 1.13.13 and 1.14.5.

Affected Cloud Foundry Products and Versions

  • Routing Release
    • All versions prior to 0.203.0
  • CF Deployment
    • All versions prior to 13.7.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Routing Release
    • Upgrade all versions to 0.203.0 or greater
  • CF Deployment
    • Upgrade all versions to 13.7.0 or greater

If it is not possible to upgrade immediately, consider the following alternative mitigations:

  • Configure an HTTP load balancer in front of the Gorouters to drop the “Expect 100-continue” header completely.
    • Note: this may cause delays in HTTP clients that utilize the Expect: 100 continue behavior. However, this should not affect the correctness of HTTP applications.
  • Configure an HTTP load balancer in front of the Gorouters to drop the “Expect: 100-continue” header and immediately respond with “100 Continue”.
    • Note: this may cause HTTP clients to send the request body unnecessarily in some cases where the server would have responded with a final status code before requesting the body. However, this should not affect the correctness of HTTP applications.

If you are using a TCP / L4 load balancer for your Gorouters instead of an HTTP load balancer, consider the following:

  • Add firewall rules to prevent traffic from any source making requests that are causing this panic.
    • Note: you may use the extra_headers_to_log property to enable logging of the “Expect” request header to help identify sources of this malicious traffic.

Credit

Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse

References

History

2020-07-15: Initial vulnerability report published.

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.01 Low

EPSS

Percentile

83.3%

Related for CFOUNDRY:BFC28EFEE9A9ABA8EC627AB7942BCFD7