Amazon Linux 2023 Security Advisory: ALAS-2024-769
Advisory Release Date: 2024-12-05 20:34 Pacific
Advisory Updated Date: 2024-12-16 13:30 Pacific
Severity:
Medium
Issue Overview:
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4. (CVE-2024-7246)
Affected Packages:
grpc
Issue Correction:
Run dnf update grpc --releasever 2023.6.20241212 to update your system.
New Packages:
aarch64:
grpc-debuginfo-1.60.2-10.amzn2023.aarch64
grpc-plugins-debuginfo-1.60.2-10.amzn2023.aarch64
grpc-cpp-debuginfo-1.60.2-10.amzn2023.aarch64
grpc-cpp-1.60.2-10.amzn2023.aarch64
grpc-plugins-1.60.2-10.amzn2023.aarch64
grpc-1.60.2-10.amzn2023.aarch64
grpc-devel-1.60.2-10.amzn2023.aarch64
grpc-debugsource-1.60.2-10.amzn2023.aarch64
noarch:
grpc-data-1.60.2-10.amzn2023.noarch
grpc-doc-1.60.2-10.amzn2023.noarch
src:
grpc-1.60.2-10.amzn2023.src
x86_64:
grpc-plugins-debuginfo-1.60.2-10.amzn2023.x86_64
grpc-debuginfo-1.60.2-10.amzn2023.x86_64
grpc-cpp-debuginfo-1.60.2-10.amzn2023.x86_64
grpc-plugins-1.60.2-10.amzn2023.x86_64
grpc-cpp-1.60.2-10.amzn2023.x86_64
grpc-1.60.2-10.amzn2023.x86_64
grpc-devel-1.60.2-10.amzn2023.x86_64
grpc-debugsource-1.60.2-10.amzn2023.x86_64