1212182 – (CVE-2023-32732) VUL-0: CVE-2023-32732: grpc: gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server

Bug 1212182 (CVE-2023-32732) - VUL-0: CVE-2023-32732: grpc: gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server

Summary: VUL-0: CVE-2023-32732: grpc: gRPC contains a vulnerability whereby a client c...

Status:	IN_PROGRESS

Alias:	CVE-2023-32732

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	John Paul Adrian Glaubitz
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/368985/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-32732:5.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-09 14:11 UTC by Gianluca Gabrielli
Modified:	2024-06-04 08:36 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	kvanderveer: needinfo? (meissner) gianluca.gabrielli: needinfo? (rfrohl) rfrohl: needinfo? (adrian.glaubitz)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2023-06-09 14:11:05 UTC

gRPC contains a vulnerability whereby a client can cause a termination of
connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for
`-bin` suffixed headers will result in a disconnection by the gRPC server, but
is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit
in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url 


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32732
https://www.cve.org/CVERecord?id=CVE-2023-32732
https://github.com/grpc/grpc/pull/32309

Comment 1 Gianluca Gabrielli 2023-06-09 14:11:17 UTC

Affected packages:
 - SUSE:SLE-15-SP1:Update/grpc
 - SUSE:SLE-15-SP2:Update/grpc

Comment 11 OBSbugzilla Bot 2024-02-09 14:05:05 UTC

This is an autogenerated message for OBS integration:
This bug (1212182) was mentioned in
https://build.opensuse.org/request/show/1145435 Factory / python-grpcio

Comment 13 Maintenance Automation 2024-02-21 12:30:24 UTC

SUSE-SU-2024:0573-1: An update that solves five vulnerabilities, contains one feature and has three security fixes can now be installed.

Category: security (moderate)
Bug References: 1133277, 1182659, 1203378, 1208794, 1212180, 1212182, 1214148, 1215334
CVE References: CVE-2023-32731, CVE-2023-32732, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
Jira References: PED-5014
Sources used:
openSUSE Leap 15.4 (src): python-abseil-1.4.0-150400.9.3.1, re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1, python-grpcio-1.60.0-150400.9.3.2, opencensus-proto-0.3.0+git.20200721-150400.9.3.1
openSUSE Leap Micro 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
openSUSE Leap Micro 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
openSUSE Leap 15.5 (src): python-abseil-1.4.0-150400.9.3.1, re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1, python-grpcio-1.60.0-150400.9.3.2, opencensus-proto-0.3.0+git.20200721-150400.9.3.1
SUSE Linux Enterprise High Performance Computing 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Server 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Retail Branch Server 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Manager Proxy 4.3 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise High Performance Computing 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.3 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.4 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Micro 5.5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
Basesystem Module 15-SP5 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
Development Tools Module 15-SP5 (src): protobuf-25.1-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Package Hub 15 15-SP5 (src): protobuf-25.1-150400.9.3.1
Public Cloud Module 15-SP4 (src): grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1
Public Cloud Module 15-SP5 (src): re2-20240201-150400.9.3.1, grpc-1.60.0-150400.8.3.2, protobuf-25.1-150400.9.3.1
Python 3 Module 15-SP5 (src): python-abseil-1.4.0-150400.9.3.1, python-grpcio-1.60.0-150400.9.3.2, protobuf-25.1-150400.9.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): protobuf-25.1-150400.9.3.1, grpc-1.60.0-150400.8.3.2, re2-20240201-150400.9.3.1, abseil-cpp-20230802.1-150400.10.4.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): abseil-cpp-20230802.1-150400.10.4.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Karen Van der Veer 2024-03-14 14:58:24 UTC

Waiting for guidance from Marcus.