ALAS-2023-282

Amazon Linux 2023 Security Advisory: ALAS-2023-282
Advisory Release Date: 2023-08-03 20:26 Pacific
Advisory Updated Date: 2023-10-12 16:11 Pacific
Severity: Important
Issue Overview:

2023-10-12: CVE-2023-4785 was added to this advisory.

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 (CVE-2023-32731)

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309 https://www.google.com/url (CVE-2023-32732)

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. (CVE-2023-4785)


Affected Packages:

grpc


Issue Correction:
Run dnf update grpc --releasever 2023.1.20230809 to update your system.

New Packages:
aarch64:
    grpc-cpp-debuginfo-1.56.2-10.amzn2023.aarch64
    grpc-debuginfo-1.56.2-10.amzn2023.aarch64
    grpc-plugins-1.56.2-10.amzn2023.aarch64
    grpc-plugins-debuginfo-1.56.2-10.amzn2023.aarch64
    grpc-1.56.2-10.amzn2023.aarch64
    grpc-cpp-1.56.2-10.amzn2023.aarch64
    grpc-devel-1.56.2-10.amzn2023.aarch64
    grpc-debugsource-1.56.2-10.amzn2023.aarch64

noarch:
    grpc-data-1.56.2-10.amzn2023.noarch
    grpc-doc-1.56.2-10.amzn2023.noarch

src:
    grpc-1.56.2-10.amzn2023.src

x86_64:
    grpc-debuginfo-1.56.2-10.amzn2023.x86_64
    grpc-plugins-debuginfo-1.56.2-10.amzn2023.x86_64
    grpc-cpp-debuginfo-1.56.2-10.amzn2023.x86_64
    grpc-plugins-1.56.2-10.amzn2023.x86_64
    grpc-1.56.2-10.amzn2023.x86_64
    grpc-cpp-1.56.2-10.amzn2023.x86_64
    grpc-devel-1.56.2-10.amzn2023.x86_64
    grpc-debugsource-1.56.2-10.amzn2023.x86_64

Additional References

Red Hat: CVE-2023-32731, CVE-2023-32732, CVE-2023-4785

Mitre: CVE-2023-32731, CVE-2023-32732, CVE-2023-4785