CVE-2014-9130: LibYAML vulnerability | Cloud Foundry

2016-09-21T00:00:00
ID CFOUNDRY:E16D8E988420765C16BC608B63004B3D
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-09-21T00:00:00

Description

CVE-2014-9130: LibYAML vulnerability

Medium

Vendor

LibYAML

Versions Affected

  • Cloud Foundry Ruby Buildpack versions prior to 1.6.25

Description

Stanisław Pitucha and Jonathan Gray discovered that LibYAML did not properly handle wrapped strings. An attacker could create specially crafted YAML data to trigger an assert, causing a denial of service.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade the Ruby Buildpack to v1.6.25 [1] or later and restage all applications that use automated buildpack detection

Credit

Stanisław Pitucha and Jonathan Gray

References

  • [1] <https://github.com/cloudfoundry/ruby-buildpack/releases/tag/v1.6.25>
  • <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130>