Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04N205LXJ2OHAtcmdtZ84AA84S
go-grpc-compression has a zstd decompression bombing vulnerability
Impact
A malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases.
Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll function in github.com/klauspost/compress/zstd to decompress data provided by the peer. The vulnerability is exploitable only by attackers who can send gRPC payloads to users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd.
Patches
Version v1.2.3 of github.com/mostynb/go-grpc-compression avoids the issue by not using the Decoder.DecodeAll function in github.com/klauspost/compress/zstd.
All users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd in the affected versions should update to v1.2.3.
Workarounds
Other compression formats were not affected, users may consider switching from zstd to another format without upgrading to a newer release.
References
This issue was uncovered during a security audit performed by Miroslav Stampar of 7ASecurity, facilitated by OSTIF, for the OpenTelemetry project.
https://opentelemetry.io/blog/2024/cve-2024-36129
https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04N205LXJ2OHAtcmdtZ84AA84S
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-87m9-rv8p-rgmg
References:
- https://github.com/mostynb/go-grpc-compression/security/advisories/GHSA-87m9-rv8p-rgmg
- https://github.com/mostynb/go-grpc-compression/commit/629c44d3acb9624993cc7de629f47d72109e2ce5
- https://pkg.go.dev/vuln/GO-2024-2911
- https://github.com/advisories/GHSA-87m9-rv8p-rgmg
Blast Radius: 20.3
Affected Packages
go:github.com/mostynb/go-grpc-compression
Dependent packages: 412Dependent repositories: 502
Downloads:
Affected Version Ranges: >= 1.1.4, < 1.2.3
Fixed in: 1.2.3
All affected versions: 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.2.0, 1.2.1, 1.2.2
All unaffected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.3