Severity: Important Vendor: The Apache Software Foundation
Versions Affected: Apache Mesos 1.4.0 to 1.5.0 The unsupported Apache Mesos pre-1.4.0 releases may be also affected. Description: When parsing a malformed JSON payload, libprocess might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Mitigation: pre-1.4.x users should upgrade to at least 1.4.2 1.4.x users should upgrade to 1.4.2 1.5.0 users should upgrade to 1.5.1 1.6.0-dev users should obtain Mesos 1.6.0 or later Credit: This issue was discovered by Lyon Yang (@l0Op3r), Jeremy Heng (@nn\_amon) and Quan Yang (@quanyang). Alex on behalf of Mesos PMC.
