Amazon Linux 2023 Security Advisory: ALAS2023-2024-769
Advisory Released Date: 2024-12-12
Advisory Updated Date: 2024-12-16
Severity:
Medium
Issue Overview:
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4. (CVE-2024-7246)
Affected Packages:
grpc
Issue Correction:
Run dnf update grpc --releasever 2023.6.20241212 or dnf update --advisory ALAS2023-2024-769 --releasever 2023.6.20241212 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
grpc-debuginfo-1.60.2-10.amzn2023.aarch64
grpc-plugins-debuginfo-1.60.2-10.amzn2023.aarch64
grpc-cpp-debuginfo-1.60.2-10.amzn2023.aarch64
grpc-cpp-1.60.2-10.amzn2023.aarch64
grpc-plugins-1.60.2-10.amzn2023.aarch64
grpc-1.60.2-10.amzn2023.aarch64
grpc-devel-1.60.2-10.amzn2023.aarch64
grpc-debugsource-1.60.2-10.amzn2023.aarch64
noarch:
grpc-data-1.60.2-10.amzn2023.noarch
grpc-doc-1.60.2-10.amzn2023.noarch
src:
grpc-1.60.2-10.amzn2023.src
x86_64:
grpc-plugins-debuginfo-1.60.2-10.amzn2023.x86_64
grpc-debuginfo-1.60.2-10.amzn2023.x86_64
grpc-cpp-debuginfo-1.60.2-10.amzn2023.x86_64
grpc-plugins-1.60.2-10.amzn2023.x86_64
grpc-cpp-1.60.2-10.amzn2023.x86_64
grpc-1.60.2-10.amzn2023.x86_64
grpc-devel-1.60.2-10.amzn2023.x86_64
grpc-debugsource-1.60.2-10.amzn2023.x86_64