Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2020-15586: Gorouter is vulnerable to DoS Attack via Expect: 100-continue requests

Severity

High

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry Routing Release, versions prior to 0.203.0, allows a malicious client to cause the Gorouter to crash by sending specially crafted HTTP requests that include the “Expect: 100-continue” header. The Gorouter is vulnerable due to an underlying vulnerability within the Go standard library. The issue has been assigned identifier CVE-2020-15586 and has been fixed in the following security patches of Go: 1.13.13 and 1.14.5.

Affected Cloud Foundry Products and Versions

  • Routing Release
    • All versions prior to 0.203.0
  • CF Deployment
    • All versions prior to 13.7.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Routing Release
    • Upgrade all versions to 0.203.0 or greater
  • CF Deployment
    • Upgrade all versions to 13.7.0 or greater

If it is not possible to upgrade immediately, consider the following alternative mitigations:

  • Configure an HTTP load balancer in front of the Gorouters to drop the “Expect 100-continue” header completely.
    • Note: this may cause delays in HTTP clients that utilize the Expect: 100 continue behavior. However, this should not affect the correctness of HTTP applications.
  • Configure an HTTP load balancer in front of the Gorouters to drop the “Expect: 100-continue” header and immediately respond with “100 Continue”.
    • Note: this may cause HTTP clients to send the request body unnecessarily in some cases where the server would have responded with a final status code before requesting the body. However, this should not affect the correctness of HTTP applications.

If you are using a TCP / L4 load balancer for your Gorouters instead of an HTTP load balancer, consider the following:

  • Add firewall rules to prevent traffic from any source making requests that are causing this panic.
    • Note: you may use the extra_headers_to_log property to enable logging of the “Expect” request header to help identify sources of this malicious traffic.

History

2020-07-15: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES