CVE-2024-37168 – @grpc/grpc-js can allocate memory for incoming messages well above configured limits
https://notcve.org/view.php?id=CVE-2024-37168
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22. @grpc/grps-js implementa la funcionalidad principal de gRPC exclusivamente en JavaScript, sin un complemento de C++. Antes de las versiones 1.10.9, 1.9.15 y 1.8.22, existen dos rutas de código separadas en las que se puede asignar memoria por mensaje que exceda la opción de canal `grpc.max_receive_message_length`: si un mensaje entrante tiene un tamaño en el cable es mayor que el límite configurado, todo el mensaje se almacena en el búfer antes de descartarlo; y/o si un mensaje entrante tiene un tamaño dentro del límite del cable pero se descomprime a un tamaño mayor que el límite, el mensaje completo se descomprime en la memoria y no se descarta en el servidor. • https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650 https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3 https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86 • CWE-789: Memory Allocation with Excessive Size Value •
CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-4785 – Denial of Service in gRPC Core
https://notcve.org/view.php?id=CVE-2023-4785
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. La falta de manejo de errores en el servidor TCP en gRPC de Google a partir de la versión 1.23 en plataformas compatibles con posix (por ejemplo, Linux) permite a un atacante provocar una denegación de servicio al iniciar una cantidad significativa de conexiones con el servidor. Tenga en cuenta que gRPC C++ Python y Ruby se ven afectados, pero gRPC Java y Go NO se ven afectados. • https://github.com/grpc/grpc/pull/33656 https://github.com/grpc/grpc/pull/33667 https://github.com/grpc/grpc/pull/33669 https://github.com/grpc/grpc/pull/33670 https://github.com/grpc/grpc/pull/33672 https://access.redhat.com/security/cve/CVE-2023-4785 https://bugzilla.redhat.com/show_bug.cgi?id=2239017 • CWE-248: Uncaught Exception •
CVE-2023-33953 – Denial-of-Service in gRPC
https://notcve.org/view.php?id=CVE-2023-33953
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc… • https://cloud.google.com/support/bulletins#gcp-2023-022 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-789: Memory Allocation with Excessive Size Value CWE-834: Excessive Iteration •
CVE-2023-32731 – Information leak in gRPC
https://notcve.org/view.php?id=CVE-2023-32731
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 • https://github.com/grpc/grpc/pull/32309 https://github.com/grpc/grpc/pull/33005 • CWE-440: Expected Behavior Violation •