Bug 1212181 (CVE-2023-1428)

Summary: VUL-0: CVE-2023-1428: grpc: There exists an vulnerability causing an abort() to be called in gRPC
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: SUSE Public Cloud Maintainer <public-cloud-maintainers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: adrian.glaubitz, public-cloud-maintainers, security-team, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo? (public-cloud-maintainers)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/368983/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-06-09 14:05:50 UTC 
There exists an vulnerability causing an abort() to be called in gRPC. 
The following headers cause gRPC's C++ implementation to abort() when called via
http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets
the total header size past 8KB. We recommend upgrading past git
commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1428
https://www.cve.org/CVERecord?id=CVE-2023-1428
https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
Comment 1 Gianluca Gabrielli 2023-06-09 14:05:55 UTC 
Affected packages:
 - SUSE:SLE-15-SP1:Update/grpc
 - SUSE:SLE-15-SP2:Update/grpc
Comment 4 John Paul Adrian Glaubitz 2023-07-10 08:19:23 UTC 
Looking the entries on both NIST and CVE.org, it seems this affects grpc versions >= 1.51 and < 1.53 while we're shipping version 1.25 at the moment.

I also verified that the suggested patch does not apply as the code being patched doesn't exist in 1.25 which is currently in SLE-15-SP1 and SLE-15-SP2.

So, I think the grpc versions in SLE are not affected. Tumbleweed ships 1.56 which is also not affected.
Comment 5 Gianluca Gabrielli 2023-07-14 13:22:28 UTC 
You are right, thanks for your feedback. Closing.