Bug 2292036 (CVE-2024-37168)

Summary: CVE-2024-37168 grps-js: allocate memory for incoming messages well above configured limits
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, amasferr, cbartlet, chazlett, dmayorov, jchui, jlledo, ktsao, mmakovy, nboldt, rtaniwa, tjochec, tkral
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grps-js, which implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This issue has been patched in versions 1.10.9, 1.9.15, and 1.8.22.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2292060, 2292061, 2292062, 2292063, 2292064    
Bug Blocks: 2292059    

Description Rohit Keshri 2024-06-12 14:40:06 UTC 
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.

https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650
https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3
https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb
https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86
Comment 1 Rohit Keshri 2024-06-12 19:04:55 UTC 
Created chromium tracking bugs for this issue:

Affects: epel-7 [bug 2292060]
Affects: epel-8 [bug 2292061]
Affects: fedora-39 [bug 2292062]
Affects: fedora-40 [bug 2292063]


Created obs-cef tracking bugs for this issue:

Affects: fedora-40 [bug 2292064]