gRPC and CVE-2023-44487?

[Mikko Rantanen]

Hey!

We have tried to find some sort of official clarification on whether/how gRPC is affected by CVE-2023-44487. Is there more information on this somewhere?

The closest related thing we could find were recent changes to concurrent streams and RST_STREAM: https://github.com/grpc/grpc/commit/6a49e953a4df6ea8aa4378de575b0a7a59421f30, but even that doesn't reference CVE-2023-44487 in any way, so not sure if that is relevant here.

- Mikko

[yh zhou]

I'm also looking for the same information. It would be of great help if  anything effective replied. Thanks.

-zhouyh

[Hemant Jain]

I see there's PR for the same https://github.com/grpc/grpc/pull/34763. does this takes care of python module too?

[veb...@google.com]

gRPC C++, Python, and Ruby will soon have a 1.59.2 patch release to address CVE-2023-44487. Thus, 1.60 or later will have this fix.

gRPC ObjC and PHP are not affected by this CVE because they do not support the server feature that has the vulnerability.

[yh zhou]

 Are there any POCs or steps to reproduce this vulnerability in grpc can be provided? And what operations can user take to reduce the risk of attack at present.

[veb...@google.com]

We don't want to share details about how to reproduce it because it would do more harm than good. Action required here to mitigate this is to update gRPC to the version with the fix.