CVE-2014-9130 LibYAML vulnerability

Severity

Medium

Vendor

LibYAML

Versions Affected

Cloud Foundry Ruby Buildpack versions prior to 1.6.25

Description

Stanisław Pitucha and Jonathan Gray discovered that LibYAML did not properly handle wrapped strings. An attacker could create specially crafted YAML data to trigger an assert, causing a denial of service.

Affected Pivotal Products and Versions

Cloud Foundry Ruby Buildpack versions prior to 1.6.25

Mitigation

Users of affected versions should apply the following mitigation:

Upgrade the Ruby Buildpack to v1.6.25 [1] or later and restage all applications that use automated buildpack detection

Credit

Stanisław Pitucha and Jonathan Gray

References

[1] https://github.com/cloudfoundry/ruby-buildpack/releases/tag/v1.6.25
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130