This issue has been assigned identifier: CVE-2020-15586.

Impacted software:

• 2.7.0-2.7.19
• 2.8.0-2.8.13
• 2.9.0-2.9.7

We are asking all Tanzu Application Service customers to upgrade their TAS installations or implement a change in their Load Balancer in front of their Gorouter immediately.

We have released patch versions of Tanzu Application Service and Tanzu Isolation Segment as of 10:30am PST today July 16th. Please upgrade to one of the following versions:

• 2.7.20
• 2.8.14
• 2.9.8

It is recommended that you upgrade to a version that fixes this issue:

Upgrade VMware Tanzu Application Service for VMs to one of the following versions:

• 2.7.20
• 2.8.14
• 2.9.8

Upgrade VMware Tanzu Isolation Segment to one of the following versions:

• 2.7.20
• 2.8.14
• 2.9.8

If it is not possible to upgrade immediately, as an alternative mitigation, we are recommending all customers to do the following

b. Configure their HTTP load balancer in front of every Gorouter to drop the “Expect 100-continue” header and immediately respond with “100 Continue”. This change may cause HTTP clients to send the request body unnecessarily in some cases where the server would have responded with a final status code before requesting the body. This change should not affect the correctness of HTTP applications. 
 

c. For customers using a TCP / L4 load balancer for their Gorouters instead of an HTTP load balancer, to add firewall rules to prevent traffic from any source making requests that are causing this panic. The “HTTP headers to log” setting will enable logging of the “Expect” request header to help identify sources of this malicious traffic.