#VU58173 Resource exhaustion in Cloud Controller - CVE-2021-22101

Cybersecurity Help s.r.o.

Published: 2021-11-16

Vulnerability identifier: #VU58173

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-22101

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cloud Controller
Web applications / Modules and components for CMS

Vendor: Cloud Foundry Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion by using REST HTTP requests with label_selectors on multiple V3 endpoints by generating an enormous SQL query.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cloud Controller: 1.0.0 - 1.117.0

External links
https://www.cloudfoundry.org/blog/cve-2021-22101-cloud-controller-is-vulnerable-to-unauthenticated-denial-of-service/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in VMware Tanzu Application Service for VMs

Denial of service in Cloud Foundry Cloud Controller (CAPI)