Описание
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
A flaw was found in Google gRPC due to HPACK table poisoning between the proxy and backend so that other clients see failed requests, resulting in a denial of service. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. By sending a specially crafted request, an attacker could leak other clients HTTP header keys. Attackers are only able to access HTTP header keys but not values.
Отчет
This vulnerability is specific to C++ implementations of gRPC release and does not affect Golang or Java implementations of gRPC. The gRPC RPM was packaged with Openshift via the Kuryr component. However, Kuryr was never configured to run code using the gRPC library, hence, grpcio dependency has been removed from Kuryr since Openshift-4.12.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-controller-rhel8 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-controller-rhel9 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-git-cloner-rhel8 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-git-cloner-rhel9 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-bundler-rhel8 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-bundler-rhel9 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-processing-rhel8 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-processing-rhel9 | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-operator-bundle | Not affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-rhel8-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
It's possible for a gRPC client communicating with a HTTP/2 proxy to p ...
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
EPSS
4.8 Medium
CVSS3