Bugzilla – Bug 1212181
VUL-0: CVE-2023-1428: grpc: There exists an vulnerability causing an abort() to be called in gRPC
Last modified: 2023-07-14 13:22:28 UTC
There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1428 https://www.cve.org/CVERecord?id=CVE-2023-1428 https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
Affected packages: - SUSE:SLE-15-SP1:Update/grpc - SUSE:SLE-15-SP2:Update/grpc
Looking the entries on both NIST and CVE.org, it seems this affects grpc versions >= 1.51 and < 1.53 while we're shipping version 1.25 at the moment. I also verified that the suggested patch does not apply as the code being patched doesn't exist in 1.25 which is currently in SLE-15-SP1 and SLE-15-SP2. So, I think the grpc versions in SLE are not affected. Tumbleweed ships 1.56 which is also not affected.
You are right, thanks for your feedback. Closing.