TNZ-2024-0100: GoRouter Denial of Service (CVE-2024-22279)


07 June 2024

07 June 2024





Advisory ID: 




CVSSv3 Range:


Issue date:


Updated on:

2024-06-06 (Initial Advisory)




TNZ-2024-0100: GoRouter Denial of Service (CVE-2024-22279)

  1. Impacted Products 
    • 2.11 - TAS: 2.11.42 - 2.11.57, IST: 2.11.36 - 2.11.51
    • 2.13 - TAS: 2.13.24 - 2.13.39, IST: 2.13.21 - 2.13.36
    • 4.0 - TAS: 4.0.5 - 4.0.23, IST: 4.0.5 -  4.0.23
    • 5.0 - TAS: 5.0.0 - 5.0.13, IST: 5.0.0 - 5.0.13
    • 6.0 - TAS: 6.0.0 - 6.0.3, IST: 6.0.0 - 6.0.3
  1. Introduction

VMware Tanzu Application Service for VMs GoRouter contains an RFC protocol issue that can lead to a denial of service which was privately reported to Tanzu. Patches are available to remediate this vulnerability in affected Tanzu products.

  1. GoRouter Denial of Service (CVE-2024-22279)

The issue is occurring because of what we believe to be a gap or poorly worded requirements in RFC 7231 Section 5.1.1, resulting in multiple misbehaving app frameworks.  In the attack scenario, Servers (apps) SHOULD either send a `Connection: close` to the client (gorouter), or send a `Connection: keep-alive` AND discard the http request. In reality, the Servers are sending `Connection: keep-alive` and still reading in the bytes to a request that it has already issued a final response to.

Golang has implemented server-side logic to handle this specific scenario, but it does not help here because we're a proxy acting as a client to other apps, and not the http server.

Known Attack Vectors:
The only attack vector is through a malicious `Expect: 100-Continue` HTTP request through a proxy (gorouter) to a server (app) that issues a `Connection: keep-alive` header along with a final-response HTTP status code (non 100-continue) prior to the server (app) reading the entirety of the request body.

Upgrade to the patched release version, or newer:

    • 2.11 - TAS: 2.11.58, IST 2.11.52
    • 2.13 - TAS: 2.13.40, IST: 2.13.37
    • 4.0 - TAS: 4.0.24, IST: 4.0.24
    • 5.0 - TAS: 5.0.14, IST: 5.0.14
    • 6.0 - TAS: 6.0.4, IST: 6.0.4

Any of the following are valid workarounds depending on your environment/traffic needs:

    • Upgrade to the patched release version or newer
    • Reject inbound requests with `Expect: 100-continue` headers prior to ingressing to gorouter
    • Disable HTTP keep-alive connections between gorouter + application.

Additional Documentation:

We would also recommend that customers open security issues with .Net framework + nginx (and any other app frameworks they experience this on), because those frameworks will likely be susceptible to this when behind other L7 proxies. 

Anonymous acknowledgement to the customer and 3rd party researcher who discovered and reported to VMware Tanzu.

Additional testing was performed around reflection attacks and this vulnerability is not susceptible to those and is only a potential Denial of Service Attack. 

  1. References:

Fixed Version(s):

Cloud Foundry Advisory Link: 

Mitre CVE Dictionary Links: 

CVSSv3 Calculator: 

  1. Change Log:

2024-06-06 TNZ-2024-0100

  Initial security advisory

  1. Contact:

E-mail: [email protected]

VMware Tanzu Security Advisories 

VMware Security & Compliance Blog

Copyright 2024 Broadcom. All rights reserved.