Gorouter WebSocket Handling Vulnerability (CVE-2018-1221)
search cancel

Gorouter WebSocket Handling Vulnerability (CVE-2018-1221)

book

Article ID: 297833

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Symptoms:

We are currently waiting on PAS patches. All versions of PAS have this vulnerability. Whether a particular customer is affected depends on their Load Balancer configuration.

The following information has been sent to cf-dev and can be considered public.

The details are captured in https://www.cloudfoundry.org/blog/cve-2018-1221/

 

Environment


Cause

Description of the exploit:

The vulnerability with the WebSockets implementations in Gorouter is seen.

The vulnerability is exposed when:

  • The LB recognizes HTTP requests (L7) and requests a WebSocket upgrade to Gorouter

  • The LB leverages HTTP keepalive connections to Gorouter

AWS Classic ELBs do no support WebSocket requests in HTTP mode and so do not expose the vulnerability. While AWS ALBs (Application Load Balancer) do support WebSockets in HTTP mode and so expose the vulnerability.

Developers with access to cf push are able to exploit this vulnerability in vulnerably installations to gather sensitive data, potentially including usernames and passwords, jwt/OAuth tokens, and UAA client ids and secrets.

How to tell if your CF installation is affected

Your CF installations are affected if ANY of the following are true:

  • Your load balancer recognizes HTTP requests (L7) AND will initiate a websocket handshake with Gorouter when the client initiates one AND the load balancer leverages HTTP keepalive connections to Gorouter

  • You are using AWS Application Load Balancers (ALB)

How to tell if your CF installation is NOT affected

Your CF installations are not affected if ANY of the following are true:

  • You are using LBs that are not HTTP-aware; they are passing through requests to Gorouter over TCP

  • Your load balancer does not use HTTP keepalive connections to Gorouter

  • You are using AWS Classic ELBs (these load balancers must be configured in TCP mode to support WebSockets; they do not support the WebSocket protocol in HTTP mode)

How to tell if your installation has been exploited

  • If requests for routes are intermittently routed to unexpected applications and unexpected responses are received. E.g. a request from cf CLI made to log into CF receives an unexpected or non-standard response.

  • If the number of HTTP requests the load balancer has a record of is far more than the number that all Gorouters know about, this could be an indication that Gorouter is sending these HTTP requests over what it considers to be an upgraded WebSocket connection.

Resolution

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • cf-deployment: 1.14.0
    • routing-release: 0.172.0
  • The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
  • Releases that have fixed this issue include:
    • Pivotal Application Service: 2.0.6, 1.12.15, 1.11.27, 1.10.40, 1.8.65
    • PCF Isolation Segment: 2.0.5, 1.12.14, 1.11.25, 1.10.31

See Pivotal's CVE-2018-1221.

 


Powered by Wolken Software