gRPC-Go HTTP/2 Rapid Reset vulnerability

2023-10-2521:17:37

GitHub Advisory Database

github.com

vulnerability

grpc-go

http/2

rapid reset

attacker

http/2 requests

patch

method handlers

concurrent

stream limit

resources

JSON

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server’s resources used for any single connection.

Workarounds

None.

References

#6703

Affected configurations

Vulners

Node

google.golang.orggrpcRange<1.58.3

google.golang.orggrpcRange<1.57.1

google.golang.orggrpcRange<1.56.3

VendorProductVersionCPE
google.golang.orggrpc*cpe:2.3:a:google.golang.org:grpc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google.golang.org	grpc	*	cpe:2.3:a:google.golang.org:grpc::::::::

References

github.com/advisories/GHSA-m425-mq94-257g

github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721

github.com/grpc/grpc-go/pull/6703

github.com/grpc/grpc-go/security/advisories/GHSA-m425-mq94-257g

nvd.nist.gov/vuln/detail/CVE-2023-44487

JSON