Bug 1215334 (CVE-2023-4785)

Summary: VUL-0: CVE-2023-4785: grpc: Denial of services due to lack of error handling
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: John Paul Adrian Glaubitz <adrian.glaubitz>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: adrian.glaubitz, gianluca.gabrielli, kvanderveer, meissner, rjschwei, security-team, stoyan.manolov
Version: unspecifiedFlags: kvanderveer: needinfo? (meissner)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/378184/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4785:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-09-14 09:09:59 UTC 
CVE-2023-4785

Lack of error handling in the TCP server in Google's gRPC starting version 1.23
on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial
of service by initiating a significant number of connections with the server.
Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT
affected. 

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4785
https://www.cve.org/CVERecord?id=CVE-2023-4785
https://github.com/grpc/grpc/pull/33656
https://github.com/grpc/grpc/pull/33667
https://github.com/grpc/grpc/pull/33669
https://github.com/grpc/grpc/pull/33670
https://github.com/grpc/grpc/pull/33672
Comment 1 Cathy Hu 2023-09-14 09:10:27 UTC 
Affected:
- SUSE:SLE-15-SP1:Update/grpc  1.25.0
- SUSE:SLE-15-SP2:Update/grpc  1.25.0

Not affected:
- openSUSE:Factory/grpc        1.58.0
Comment 2 John Paul Adrian Glaubitz 2023-09-14 09:43:29 UTC 
I just had a quick look and the patch for the 1.53.x branch does not apply against version 1.25.0, so we will have to backport the fix ourselves.
Comment 3 Robert Schweikert 2023-09-14 11:34:46 UTC 
Are there API/ABI incompatibilities in 1.53? If not we should probably consider a version bump.
Comment 4 John Paul Adrian Glaubitz 2023-09-14 11:38:18 UTC 
(In reply to Robert Schweikert from comment #3)
> Are there API/ABI incompatibilities in 1.53? If not we should probably
> consider a version bump.

I will have to verify that. A version update to >=1.56 has been requested in PED-5014 anyway. However, the update would require the updates of multiple dependencies as well as submissions of new packages.
Comment 12 OBSbugzilla Bot 2024-02-09 14:05:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1215334) was mentioned in
https://build.opensuse.org/request/show/1145435 Factory / python-grpcio
Comment 14 Maintenance Automation 2024-02-21 12:30:24 UTC 
SUSE-SU-2024:0573-1: An update that solves five vulnerabilities, contains one feature and has three security fixes can now be installed.

Category: security (moderate)
Bug References: 1133277, 1182659, 1203378, 1208794, 1212180, 1212182, 1214148, 1215334
CVE References: CVE-2023-32731, CVE-2023-32732, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
Jira References: PED-5014
Sources used:
openSUSE Leap 15.4 (src): python-abseil-1.4.0-150400.9.3.1, re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1, python-grpcio-1.60.0-150400.9.3.2, opencensus-proto-0.3.0+git.20200721-150400.9.3.1
openSUSE Leap Micro 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
openSUSE Leap Micro 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
openSUSE Leap 15.5 (src): python-abseil-1.4.0-150400.9.3.1, re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1, python-grpcio-1.60.0-150400.9.3.2, opencensus-proto-0.3.0+git.20200721-150400.9.3.1
SUSE Linux Enterprise High Performance Computing 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Server 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Retail Branch Server 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Proxy 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise High Performance Computing 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
Basesystem Module 15-SP5 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
Development Tools Module 15-SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Package Hub 15 15-SP5 (src): protobuf-25.1-150400.9.3.1
Public Cloud Module 15-SP4 (src): grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1
Public Cloud Module 15-SP5 (src): re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1
Python 3 Module 15-SP5 (src): python-abseil-1.4.0-150400.9.3.1, python-grpcio-1.60.0-150400.9.3.2, protobuf-25.1-150400.9.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): abseil-cpp-20230802.1-150400.10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Karen Van der Veer 2024-03-14 14:56:13 UTC 
Waiting for guidance from Marcus.