CVE-2016-3091 Diego log encoding vulnerability


Chip Childers <cchilders@...>
 

CVE-2016-3091 Diego log encoding vulnerability
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Diego-release versions 0.1468.0 through 0.1470.0

Description

Due to how Diego handles breaking up large log streams on UTF-8 boundaries,
it is possible to cause a denial of service on a Cloud Foundry installation
with an app outputting malformed UTF-8 sequences.
Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

-

Diego-release versions 0.1468.0 through 0.1470.0

Mitigation

Users of affected versions should apply the following mitigation:

-

The Cloud Foundry project recommends that Cloud Foundry Deployments
running Diego versions 0.1468.0 through 0.1470.0 upgrade to Diego version
0.1471.0.

CreditThis issue was identified by a Pivotal team and reported responsibly
to the Cloud Foundry Foundation.