Severity: Important Vendor: The Apache Software Foundation
Versions Affected: Apache Mesos 1.1.0 to 1.3.0 The unsupported Apache Mesos 1.0.x as well as 0.x versions may be also affected. Description: When handling a libprocess message wrapped in an HTTP request, libprocess crashes if the request path is empty, because the parser assumes the request path always starts with '/'. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Mitigation: pre-1.1.x users should upgrade to at least 1.1.3 1.1.x users should upgrade to 1.1.3 1.2.x users should upgrade to 1.2.2 1.3.0 users should upgrade to 1.3.1 1.4.0-dev users should obtain Mesos 1.4.0 Credit: This issue was discovered by Lyon Yang and Jeremy Heng Alex on behalf of Mesos PMC
