gRPC and CVE-2023-44487?

1,347 views
Skip to first unread message

Mikko Rantanen

unread,
Oct 11, 2023, 3:14:58 AM10/11/23
to grpc.io
Hey!

We have tried to find some sort of official clarification on whether/how gRPC is affected by CVE-2023-44487. Is there more information on this somewhere?

The closest related thing we could find were recent changes to concurrent streams and RST_STREAM: https://github.com/grpc/grpc/commit/6a49e953a4df6ea8aa4378de575b0a7a59421f30, but even that doesn't reference CVE-2023-44487 in any way, so not sure if that is relevant here.

- Mikko

yh zhou

unread,
Oct 22, 2023, 11:55:59 PM10/22/23
to grpc.io
I'm also looking for the same information. It would be of great help if  anything effective replied. Thanks.

-zhouyh

Hemant Jain

unread,
Oct 24, 2023, 9:56:22 AM10/24/23
to grpc.io
I see there's PR for the same https://github.com/grpc/grpc/pull/34763. does this takes care of python module too?

veb...@google.com

unread,
Oct 25, 2023, 4:26:11 PM10/25/23
to grpc.io
gRPC C++, Python, and Ruby will soon have a 1.59.2 patch release to address CVE-2023-44487. Thus, 1.60 or later will have this fix.
gRPC ObjC and PHP are not affected by this CVE because they do not support the server feature that has the vulnerability.


yh zhou

unread,
Oct 27, 2023, 2:48:24 AM10/27/23
to grpc.io
 Are there any POCs or steps to reproduce this vulnerability in grpc can be provided? And what operations can user take to reduce the risk of attack at present.

veb...@google.com

unread,
Nov 13, 2023, 6:29:59 PM11/13/23
to grpc.io
We don't want to share details about how to reproduce it because it would do more harm than good. Action required here to mitigate this is to update gRPC to the version with the fix.
Reply all
Reply to author
Forward
0 new messages