mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex R <>
Subject CVE-2018-1330: Libprocess might crash when decoding malformed HTTP requests or malformed JSON payload.
Date Thu, 13 Sep 2018 14:52:53 GMT
Severity: Important

The Apache Software Foundation

Versions Affected:
Apache Mesos 1.4.0 to 1.5.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

When parsing a malformed JSON payload, libprocess might crash due to
an uncaught exception. Parsing chunked HTTP requests with trailers
can lead to a libprocess crash too because of the mistakenly planted
assertion. A malicious actor can therefore cause a denial of service
of Mesos masters rendering the Mesos-controlled cluster inoperable.

pre-1.4.x users should upgrade to at least 1.4.2
1.4.x users should upgrade to 1.4.2
1.5.0 users should upgrade to 1.5.1
1.6.0-dev users should obtain Mesos 1.6.0 or later

This issue was discovered by Lyon Yang (@l0Op3r), Jeremy Heng
(@nn\_amon) and Quan Yang (@quanyang).

Alex on behalf of Mesos PMC.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message