Severity: Moderate Vendor: The Apache Software Foundation
Versions Affected: Apache Mesos 1.4.0 to 1.7.0 The unsupported Apache Mesos pre-1.4.0 releases may be also affected. Description: When parsing a JSON payload with deeply nested JSON structures, the parser might overflow the stack due to unbounded recursion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. Mitigation: pre-1.4.x users should upgrade to at least 1.4.3 1.4.x users should upgrade to 1.4.3 1.5.x users should upgrade to 1.5.2 1.6.x users should upgrade to 1.6.2 1.7.0 users should upgrade to 1.7.1 1.8-dev users should obtain Mesos 1.8.0 or later Credit: This issue was discovered by Terry Chia (Ayrx). Alex on behalf of Mesos PMC
