CVE-2018-1221: Gorouter websocket handling vulnerability
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- All versions prior to 1.14.0
- All versions prior to 0.172.0
The Cloud Foundry Gorouter mishandles WebSocket requests for AWS Application Load Balancers (ALBs) and some other HTTP-aware Load Balancers. A user with developer privileges could use this vulnerability to steal data or cause denial of service.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- cf-deployment: 1.14.0
- routing-release: 0.172.0
This issue was responsibly reported by the Volkswagen Digital:Lab Platform Team.
2018-02-13: Initial vulnerability report published, versions clarified, credit added.
2018-02-14: Versions clarified.