Bug 2214469 (CVE-2023-32732)

Summary: CVE-2023-32732 gRPC: denial of service
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in gRPC, which is vulnerable to a denial of service, caused by a base64 encoding error for "-bin" suffixed headers. By sending a specially crafted request, a remote attacker can cause a termination of the connection between an HTTP2 proxy and a gRPC server, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214470, 2214471, 2214472    
Bug Blocks: 2213811    

Description Avinash Hanwate 2023-06-13 06:04:30 UTC 
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url
Comment 1 Avinash Hanwate 2023-06-13 06:05:13 UTC 
Created flatbuffers tracking bugs for this issue:

Affects: fedora-all [bug 2214471]


Created grpc tracking bugs for this issue:

Affects: fedora-all [bug 2214470]
Affects: openstack-rdo [bug 2214472]