All Vulnerability Reports

CVE-2019-11289: A forged route service request using an invalid nonce can cause the gorouter to panic and crash


Severity

High

Vendor

Pivotal

Description

Cloud Foundry Routing, all versions before 0.193.0, consumed by Pivotal Isolation Segment 2.5 versions prior to 2.5.14, 2.6 versions prior to 2.6.9 and 2.7 versions prior to 2.7.4, and Pivotal Application Service 2.5 versions prior to 2.5.15, 2.6 versions prior to 2.6.10 and 2.7 versions prior to 2.7.4, does not properly validate nonce input. A remote unauthenticated user could forge an HTTP route service request using an invalid nonce that will cause the Gorouter to crash.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Isolation Segment
    • 2.5 versions prior to 2.5.14
    • 2.6 versions prior to 2.6.9
    • 2.7 versions prior to 2.7.4
  • Pivotal Application Service (PAS)
    • 2.5 versions prior to 2.5.15
    • 2.6 versions prior to 2.6.10
    • 2.7 versions prior to 2.7.4

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Isolation Segment
    • 2.5.14
    • 2.6.9
    • 2.7.4
  • Pivotal Application Service (PAS)
    • 2.5.15
    • 2.6.10
    • 2.7.4

References

History

2019-11-18: Initial vulnerability report published.