Ava-290: vcore and vcloud vulnerable to denial-of-service attack
22nd July 2020.
An attacker could cause a restart of the vcore HTTP server or the vcloud gateway by exploiting a vulnerability in the Go net/http package.
- vcore: All Beta Upgrade Channel versions before 2.3.3.
- vcore: All Stable Upgrade Channel versions before 2.3.4.
- vcloud: All versions before 15th July 2020
- vcore: All Beta Upgrade Channel versions after and including 2.3.3.
- vcore: All Stable Upgrade Channel versions after and including 2.3.4.
- vcam: All versions
This issue has been fixed in vcore Beta Upgrade Channel version 2.3.3 and Stable Upgrade Channel version 2.3.4. It is strongly recommended that all vcore installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the vcore WebUI. A fix was deployed to the vcloud on 15th July 2020. vcloud customers do not need to take any additional action.
An attacker would be able to deny access to the vcore UI by repeatedly exploiting a race condition in the vcore HTTP server detailed in https://github.com/golang/go/issues/34902. However, the attack would need to be sustained and the attacker would not be able to control how often they could restart the HTTP server.
- CVE: CVE-2020-15586
- CVSSv3.1 score: 5.3 (Medium)
- CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Issue found, and reported to the Go Team, by Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse.
- 14/10/2019 Issue found by Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay Kauzlaric, and Gabe Rosenhouse
- 14/07/2020 Fix identified
- 15/07/2020 Patched vcloud released
- 15/07/2020 Patched vcore 2.3.3 (Beta upgrade channel) released
- 22/07/2020 Patched vcore 2.3.4 (Stable upgrade channel) released
- 22/07/2020 Advisory published internally
- 22/07/2020 Vulnerability publicly disclosed