All Vulnerability Reports

CVE-2016-3091 Diego log encoding vulnerability


Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • Diego-release versions 0.1468.0 through 0.1470.0

Description

Due to how Diego handles breaking up large log streams on UTF-8 boundaries, it is possible to cause a denial of service on a Cloud Foundry installation with an app outputting malformed UTF-8 sequences.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Diego-release versions 0.1468.0 through 0.1470.0
  • The Pivotal Cloud Foundry Elastic Runtime Tile is not affected by this vulnerability
  • No other Pivotal Cloud Foundry products are affected by this vulnerability

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Deployments running Diego versions 0.1468.0 through 0.1470.0 upgrade to Diego version 0.1471.0
  • No mitigation is needed for Pivotal Cloud Foundry products

Credit

This issue was identified by a Pivotal team and reported responsibly to the Cloud Foundry Foundation.