Cloud Foundry Logo

CVE-2019-15225/15226: Envoy 1.11.1 vulnerability fixes

By: | November 11, 2019

Severity

High

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry Diego, versions prior to 2.39.0, consumes a vulnerable version of Envoy which is vulnerable to a denial-of-service attack. A remote unauthenticated malicious user may craft requests with a large number of headers to consume excess CPU or may send a request with a very long URI to consume excess memory. CF Deployment, versions prior to 12.2.0, is affected through its consumption of Diego.

Affected Cloud Foundry Products and Versions

  • Diego
    • All versions prior to v2.39.0
  • CF Deployment
    • All versions prior to v12.2.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Diego
    • Upgrade All versions to v2.39.0 or greater
  • CF Deployment
    • Upgrade All versions to v12.2.0 or greater

References

History

2019-11-11: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES