CVE-2017-9790

Name of the Vulnerable Software and Affected Versions Apache Mesos versions prior to 1.1.3 Apache Mesos versions 1.2.x prior to 1.2.2 Apache Mesos versions 1.3.x prior to 1.3.1 Apache Mesos version 1.4.0-dev

Description The issue occurs when handling a libprocess message wrapped in an HTTP request. If the request path is empty, it causes a crash because the parser assumes the request path always starts with '/'. A malicious actor can exploit this to cause a denial of service, rendering the Mesos-controlled cluster inoperable.

Recommendations For Apache Mesos versions prior to 1.1.3, update to version 1.1.3 or later. For Apache Mesos versions 1.2.x prior to 1.2.2, update to version 1.2.2 or later. For Apache Mesos versions 1.3.x prior to 1.3.1, update to version 1.3.1 or later. For Apache Mesos version 1.4.0-dev, update to a stable version that includes the fix.