Actions
Bug #24068
closedDoS vuln in h2 lib in relayd
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
[2024-01-23T20:08:56.032Z] + cargo deny check [2024-01-23T20:09:00.273Z] error[A001]: Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS) [2024-01-23T20:09:00.273Z] ┌─ /srv/jenkins/workspace/dependencies_branches_rudder_7.3/relay/sources/relayd/Cargo.lock:70:1 [2024-01-23T20:09:00.273Z] │ [2024-01-23T20:09:00.273Z] 70 │ h2 0.3.16 registry+https://github.com/rust-lang/crates.io-index [2024-01-23T20:09:00.273Z] │ --------------------------------------------------------------- security vulnerability detected [2024-01-23T20:09:00.273Z] │ [2024-01-23T20:09:00.273Z] = ID: RUSTSEC-2024-0003 [2024-01-23T20:09:00.273Z] = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003 [2024-01-23T20:09:00.273Z] = An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the [2024-01-23T20:09:00.273Z] generation of reset frames on the victim endpoint. [2024-01-23T20:09:00.273Z] By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion, [2024-01-23T20:09:00.273Z] resulting in Out Of Memory (OOM) and high CPU usage. [2024-01-23T20:09:00.273Z] [2024-01-23T20:09:00.273Z] This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of [2024-01-23T20:09:00.273Z] internal error resets emitted by default before the connection is closed. [2024-01-23T20:09:00.273Z] = Solution: Upgrade to ^0.3.24 OR >=0.4.2 [2024-01-23T20:09:00.273Z] = h2 v0.3.16 [2024-01-23T20:09:00.273Z] ├── hyper v0.14.24 [2024-01-23T20:09:00.273Z] │ ├── hyper-tls v0.5.0 [2024-01-23T20:09:00.273Z] │ │ └── reqwest v0.11.14 [2024-01-23T20:09:00.273Z] │ │ └── rudder-relayd v0.0.0-dev [2024-01-23T20:09:00.273Z] │ ├── reqwest v0.11.14 (*) [2024-01-23T20:09:00.273Z] │ ├── rudder-relayd v0.0.0-dev (*) [2024-01-23T20:09:00.273Z] │ └── warp v0.3.3 [2024-01-23T20:09:00.273Z] │ └── rudder-relayd v0.0.0-dev (*) [2024-01-23T20:09:00.273Z] └── reqwest v0.11.14 (*)
Updated by Alexis Mousset 11 months ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset 11 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/5344
Updated by Alexis Mousset 11 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|8d6416b719d263d3effa5bfe0b6037864ad693f8.
Updated by Vincent MEMBRÉ 10 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.3.11 which was released today.
Actions