Описание
gRPC-Go HTTP/2 Rapid Reset vulnerability
Impact
In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
Patches
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.
Workarounds
None.
References
#6703
Пакеты
google.golang.org/grpc
< 1.56.3
1.56.3
google.golang.org/grpc
>= 1.57.0, < 1.57.1
1.57.1
google.golang.org/grpc
>= 1.58.0, < 1.58.3
1.58.3
7.5 High
CVSS3
7.5 High
CVSS3