PT-2017-19189 · Apache · Apache Mesos
Published
2017-09-28
·
Updated
2022-05-13
·
CVE-2017-9790
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Mesos versions prior to 1.1.3
Apache Mesos versions 1.2.x prior to 1.2.2
Apache Mesos versions 1.3.x prior to 1.3.1
Apache Mesos version 1.4.0-dev
Description
The issue occurs when handling a libprocess message wrapped in an HTTP request. If the request path is empty, it causes a crash because the parser assumes the request path always starts with '/'. A malicious actor can exploit this to cause a denial of service, rendering the Mesos-controlled cluster inoperable.
Recommendations
For Apache Mesos versions prior to 1.1.3, update to version 1.1.3 or later.
For Apache Mesos versions 1.2.x prior to 1.2.2, update to version 1.2.2 or later.
For Apache Mesos versions 1.3.x prior to 1.3.1, update to version 1.3.1 or later.
For Apache Mesos version 1.4.0-dev, update to a stable version that includes the fix.
Fix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Mesos