oss-sec mailing list archives
CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.
From: Alex R <alexr () apache org>
Date: Thu, 13 Sep 2018 16:52:53 +0200
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Mesos 1.4.0 to 1.5.0 The unsupported Apache Mesos pre-1.4.0 releases may be also affected. Description: When parsing a malformed JSON payload, libprocess might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Mitigation: pre-1.4.x users should upgrade to at least 1.4.2 1.4.x users should upgrade to 1.4.2 1.5.0 users should upgrade to 1.5.1 1.6.0-dev users should obtain Mesos 1.6.0 or later Credit: This issue was discovered by Lyon Yang (@l0Op3r), Jeremy Heng (@nn\_amon) and Quan Yang (@quanyang). Alex on behalf of Mesos PMC.
Current thread:
- CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload. Alex R (Sep 13)