Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Mar 2019 14:34:34 +0100
From: Alex R <alexr@...che.org>
To: dev <dev@...os.apache.org>, user <user@...os.apache.org>, 
	security <security@...che.org>, oss-security@...ts.openwall.com, 
	Terry Chia <terrycwk1994@...il.com>
Subject: CVE-2018-11793: Mesos components might crash when parsing deeply
 nested JSON structures.

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Mesos 1.4.0 to 1.7.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

Description:
When parsing a JSON payload with deeply nested JSON structures, the
parser might overflow the stack due to unbounded recursion. A
malicious actor can therefore cause a denial of service of Mesos
masters rendering the Mesos-controlled cluster inoperable.

Mitigation:
pre-1.4.x users should upgrade to at least 1.4.3
1.4.x users should upgrade to 1.4.3
1.5.x users should upgrade to 1.5.2
1.6.x users should upgrade to 1.6.2
1.7.0 users should upgrade to 1.7.1
1.8-dev users should obtain Mesos 1.8.0 or later

Credit:
This issue was discovered by Terry Chia (Ayrx).

Alex on behalf of Mesos PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.