Severity
HIGH
Vendor
CloudFoundry Foundation
Versions Affected
Routing Release > 0.163.0
CF Deployment > 0.28.0
Description
Cloud Foundry routing release versions from v0.163.0 to v0.283.0 are vulnerable to a DOS attack. An unauthenticated attacker can use this vulnerability to force route pruning and therefore degrade the service availability of the Cloud Foundry deployment.
Affected Cloud Foundry Products and Versions
*Severity is high unless otherwise noted.
- Routing_release
All versions from 0.163.0 to v0.283.0 (inclusive) - CF Deployment
All versions from v0.28.0 to v33.5.0 (inclusive) - Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- Routing_release
Upgrade routing_release versions to v0.284.0 or greater - CF Deployment
Upgrade cf-deployment version to v33.6.0 or greater
Includes routing_release v0.284.0
Credit
This issue was responsibly reported by David Sabeti and Josh Russett of VMWare
History
December 7th: Initial vulnerability report published.
