All Vulnerability Reports

CVE-2020-15586: Gorouter is vulnerable to DoS Attack via Expect: 100-continue requests


Severity

High

Vendor

VMware Tanzu

Description

VMware Tanzu Application Service for VMs and VMware Tanzu Isolation Segment, all versions prior to 2.7.20, versions 2.8.x prior to 2.8.14, and versions 2.9.x prior to 2.9.8, can allow a malicious client to cause the Gorouter to crash by sending specially crafted HTTP requests that include the “Expect: 100-continue” header. The Gorouter is vulnerable due to an underlying vulnerability within the Go standard library.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • VMware Tanzu Application Service for VMs
    • All versions prior to 2.7.20
    • 2.8.x versions prior to 2.8.14
    • 2.9.x versions prior to 2.9.8
  • VMware Tanzu Isolation Segment
    • All versions prior to 2.7.20
    • 2.8.x versions prior to 2.8.14
    • 2.9.x versions prior to 2.9.8

Mitigation

Users of affected versions should apply the following mitigation or upgrade to the versions listed below. If it is not possible to upgrade immediately, consider the following alternative mitigations. Mitigation 1: Configure an HTTP load balancer in front of the Gorouters to drop the "Expect 100-continue" header completely. (Note: this may cause delays in HTTP clients that utilize the Expect: 100 continue behavior. However, this should not affect the correctness of HTTP applications.) Mitigation 2: Configure an HTTP load balancer in front of the Gorouters to drop the "Expect: 100-continue" header and immediately respond with "100 Continue". (Note: this may cause HTTP clients to send the request body unnecessarily in some cases where the server would have responded with a final status code before requesting the body. However, this should not affect the correctness of HTTP applications.) Mitigation 3: If you are using a TCP / L4 load balancer for your Gorouters instead of an HTTP load balancer, consider the following: Add firewall rules to prevent traffic from any source making requests that are causing this panic. (Note: you may use the "HTTP headers to log" property to enable logging of the "Expect" request header to help identify sources of this malicious traffic.)

  • VMware Tanzu Application Service for VMs
    • 2.7.20
    • 2.8.14
    • 2.9.8
  • VMware Tanzu Isolation Segment
    • 2.7.20
    • 2.8.14
    • 2.9.8

References

History

2020-07-16: Initial vulnerability report published.