Project

General

Profile

Actions

Bug #24068

closed

DoS vuln in h2 lib in relayd

Added by Alexis Mousset 11 months ago. Updated 11 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

[2024-01-23T20:08:56.032Z] + cargo deny check

[2024-01-23T20:09:00.273Z] error[A001]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)

[2024-01-23T20:09:00.273Z]    ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_7.3/relay/sources/relayd/Cargo.lock:70:1

[2024-01-23T20:09:00.273Z]    │

[2024-01-23T20:09:00.273Z] 70 │ h2 0.3.16 registry+https://github.com/rust-lang/crates.io-index

[2024-01-23T20:09:00.273Z]    │ --------------------------------------------------------------- security vulnerability detected

[2024-01-23T20:09:00.273Z]    │

[2024-01-23T20:09:00.273Z]    = ID: RUSTSEC-2024-0003

[2024-01-23T20:09:00.273Z]    = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003

[2024-01-23T20:09:00.273Z]    = An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the

[2024-01-23T20:09:00.273Z]      generation of reset frames on the victim endpoint.

[2024-01-23T20:09:00.273Z]      By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,

[2024-01-23T20:09:00.273Z]      resulting in Out Of Memory (OOM) and high CPU usage.

[2024-01-23T20:09:00.273Z]      

[2024-01-23T20:09:00.273Z]      This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of

[2024-01-23T20:09:00.273Z]      internal error resets emitted by default before the connection is closed.

[2024-01-23T20:09:00.273Z]    = Solution: Upgrade to ^0.3.24 OR >=0.4.2

[2024-01-23T20:09:00.273Z]    = h2 v0.3.16

[2024-01-23T20:09:00.273Z]      ├── hyper v0.14.24

[2024-01-23T20:09:00.273Z]      │   ├── hyper-tls v0.5.0

[2024-01-23T20:09:00.273Z]      │   │   └── reqwest v0.11.14

[2024-01-23T20:09:00.273Z]      │   │       └── rudder-relayd v0.0.0-dev

[2024-01-23T20:09:00.273Z]      │   ├── reqwest v0.11.14 (*)

[2024-01-23T20:09:00.273Z]      │   ├── rudder-relayd v0.0.0-dev (*)

[2024-01-23T20:09:00.273Z]      │   └── warp v0.3.3

[2024-01-23T20:09:00.273Z]      │       └── rudder-relayd v0.0.0-dev (*)

[2024-01-23T20:09:00.273Z]      └── reqwest v0.11.14 (*)

Actions #1

Updated by Alexis Mousset 11 months ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Alexis Mousset 11 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/5344
Actions #3

Updated by Alexis Mousset 11 months ago

  • Status changed from Pending technical review to Pending release
Actions #4

Updated by Alexis Mousset 11 months ago

  • Fix check changed from To do to Checked
Actions #5

Updated by Vincent MEMBRÉ 11 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.11 which was released today.

Actions

Also available in: Atom PDF