TNZ-2024-0100: GoRouter Denial of Service (CVE-2024-22279)
24486
07 June 2024
07 June 2024
CLOSED
MEDIUM
6.7
CVE-2024-22279
|
Advisory ID: |
TNZ-2024-0100 |
|
Severity: |
Medium |
|
CVSSv3 Range: |
6.7 |
|
Issue date: |
2024-06-06 |
|
Updated on: |
2024-06-06 (Initial Advisory) |
|
CVE(s) |
CVE-2024-22279 |
|
Synopsis: |
TNZ-2024-0100: GoRouter Denial of Service (CVE-2024-22279) |
- Impacted Products
-
- 2.11 - TAS: 2.11.42 - 2.11.57, IST: 2.11.36 - 2.11.51
- 2.13 - TAS: 2.13.24 - 2.13.39, IST: 2.13.21 - 2.13.36
- 4.0 - TAS: 4.0.5 - 4.0.23, IST: 4.0.5 - 4.0.23
- 5.0 - TAS: 5.0.0 - 5.0.13, IST: 5.0.0 - 5.0.13
- 6.0 - TAS: 6.0.0 - 6.0.3, IST: 6.0.0 - 6.0.3
- Introduction
VMware Tanzu Application Service for VMs GoRouter contains an RFC protocol issue that can lead to a denial of service which was privately reported to Tanzu. Patches are available to remediate this vulnerability in affected Tanzu products.
- GoRouter Denial of Service (CVE-2024-22279)
Description:
The issue is occurring because of what we believe to be a gap or poorly worded requirements in RFC 7231 Section 5.1.1, resulting in multiple misbehaving app frameworks. In the attack scenario, Servers (apps) SHOULD either send a `Connection: close` to the client (gorouter), or send a `Connection: keep-alive` AND discard the http request. In reality, the Servers are sending `Connection: keep-alive` and still reading in the bytes to a request that it has already issued a final response to.
Golang has implemented server-side logic to handle this specific scenario, but it does not help here because we're a proxy acting as a client to other apps, and not the http server.
Known Attack Vectors:
The only attack vector is through a malicious `Expect: 100-Continue` HTTP request through a proxy (gorouter) to a server (app) that issues a `Connection: keep-alive` header along with a final-response HTTP status code (non 100-continue) prior to the server (app) reading the entirety of the request body.
Resolution:
Upgrade to the patched release version, or newer:
-
- 2.11 - TAS: 2.11.58, IST 2.11.52
- 2.13 - TAS: 2.13.40, IST: 2.13.37
- 4.0 - TAS: 4.0.24, IST: 4.0.24
- 5.0 - TAS: 5.0.14, IST: 5.0.14
- 6.0 - TAS: 6.0.4, IST: 6.0.4
Workarounds:
Any of the following are valid workarounds depending on your environment/traffic needs:
-
- Upgrade to the patched release version or newer
- Reject inbound requests with `Expect: 100-continue` headers prior to ingressing to gorouter
- Disable HTTP keep-alive connections between gorouter + application.
Additional Documentation:
We would also recommend that customers open security issues with .Net framework + nginx (and any other app frameworks they experience this on), because those frameworks will likely be susceptible to this when behind other L7 proxies.
Acknowledgements:
Anonymous acknowledgement to the customer and 3rd party researcher who discovered and reported to VMware Tanzu.
Notes:
Additional testing was performed around reflection attacks and this vulnerability is not susceptible to those and is only a potential Denial of Service Attack.
- References:
Fixed Version(s):
-
- 2.11 - TAS: 2.11.58, IST: 2.11.52
- 2.13 - TAS: 2.13.40, IST: 2.13.37
- 4.0 - TAS: 4.0.24, IST: 4.0.24
- 5.0 - TAS: 5.0.14, IST: 5.0.14
- 6.0 - TAS: 6.0.4, IST: 6.0.4
Cloud Foundry Advisory Link:
https://www.cloudfoundry.org/blog/cve-2024-22279-gorouter-denial-of-service-attack/
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22279
- Change Log:
2024-06-06 TNZ-2024-0100
Initial security advisory
- Contact:
E-mail: [email protected]
VMware Tanzu Security Advisories
https://support.broadcom.com/group/ecx/security-advisory?segment=VT
VMware Security & Compliance Blog
https://tanzu.vmware.com/content/vmware-tanzu-and-security
Copyright 2024 Broadcom. All rights reserved.