[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2017-9790: Libprocess might crash when decoding an HTTP request with absent path.
From: Alex R <alexr () apache ! org>
Date: 2017-09-26 14:53:53
Message-ID: CAPNiXbGAjOKHZH02R+T5HbtXs0F8OLbPz=SZrG4G+ZqgX--wBA () mail ! gmail ! com
[Download RAW message or body]
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Mesos 1.1.0 to 1.3.0
The unsupported Apache Mesos 1.0.x as well as 0.x versions may be also
affected.
Description:
When handling a libprocess message wrapped in an HTTP request, libprocess
crashes if the request path is empty, because the parser assumes the request
path always starts with '/'. A malicious actor can therefore cause a denial
of service of Mesos masters rendering the Mesos-controlled cluster
inoperable.
Mitigation:
pre-1.1.x users should upgrade to at least 1.1.3
1.1.x users should upgrade to 1.1.3
1.2.x users should upgrade to 1.2.2
1.3.0 users should upgrade to 1.3.1
1.4.0-dev users should obtain Mesos 1.4.0
Credit:
This issue was discovered by Lyon Yang and Jeremy Heng
Alex on behalf of Mesos PMC
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic