CVE-2019-11289
📋 TL;DR
CVE-2019-11289 is a vulnerability in Cloud Foundry Routing where improper nonce validation allows remote unauthenticated attackers to send forged HTTP route service requests, causing the Gorouter to crash. This affects all Cloud Foundry deployments using Routing versions before 0.193.0, potentially leading to denial-of-service.
💻 Affected Systems
- Cloud Foundry Routing (Gorouter)
📦 What is this software?
Cf Deployment by Cloudfoundry
Routing Release by Cloudfoundry
⚠️ Risk & Real-World Impact
Worst Case
Complete denial-of-service for Cloud Foundry applications due to Gorouter crashes, disrupting all HTTP traffic and making services unavailable.
Likely Case
Intermittent service disruptions and degraded performance as Gorouter instances crash and restart, affecting application availability.
If Mitigated
Minimal impact if patched or workarounds are applied; Gorouter remains stable and services operate normally.
🎯 Exploit Status
Exploitation involves sending crafted HTTP requests with invalid nonces, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.193.0 or later
Vendor Advisory: https://www.cloudfoundry.org/blog/cve-2019-11289
Restart Required: Yes
Instructions:
1. Update Cloud Foundry Routing to version 0.193.0 or higher. 2. Restart the Gorouter service to apply the patch. 3. Verify the update using version check commands.
🔧 Temporary Workarounds
Disable Route Services
allTemporarily disable route services in Cloud Foundry to prevent exploitation via nonce validation.
cf disable-feature-flag route_services
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Gorouter from untrusted sources.
- Monitor and block suspicious HTTP requests with invalid nonces using web application firewalls (WAFs).
🔍 How to Verify
Check if Vulnerable:
Check the Gorouter version; if it is below 0.193.0, the system is vulnerable.Check Version:
cf routing-api version or check Gorouter logs for version information.Verify Fix Applied:
Confirm the Gorouter version is 0.193.0 or later and test by sending valid HTTP requests to ensure no crashes occur.📡 Detection & Monitoring
Log Indicators:
- Gorouter crash logs, error messages related to nonce validation failures, or unexpected restarts.
Network Indicators:
- Unusual spikes in HTTP requests to route services, especially with malformed nonce parameters.
SIEM Query:
Example: 'source="gorouter" AND (error OR crash)' to detect potential exploitation attempts.