Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNndzQtbTV3Ny12ODlj
Uncontrolled Resource Consumption in Indy Node
Summary
Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network.
Discovery
On May 18, Evernym's monitoring of Sovrin StagingNet showed a report of StagingNet losing sufficient consensus to validate write transactions. The problem resolved itself within a few minutes. On May 20th we saw the alert multiple times, and we began analyzing the logs of our steward node. On May 21st we continued to see the alerts with increasing frequency.
It appears that someone is unknowingly sending a malformed transaction, and retrying when the transaction fails. The cause of the errors appear to be the TAA acceptance.
Proposed actions
- Reproduce problem in integration tests and create a fix
- Do a hotfix release branching from last stable (current master have some things merged that are too risky)
- Upgrade BuilderNet, StagingNet and MainNet as soon as possible
- Improve testing strategy on Indy Node to reduce probability of such bugs
Notes
- The journalctl logs also show an out-of-memory problem on the Australia node. We need to evaluate if this should be raised as a separate issue.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNndzQtbTV3Ny12ODlj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-3gw4-m5w7-v89c, CVE-2020-11090
References:
- https://github.com/hyperledger/indy-node/security/advisories/GHSA-3gw4-m5w7-v89c
- https://pypi.org/project/indy-node/1.12.3/
- https://nvd.nist.gov/vuln/detail/CVE-2020-11090
- https://github.com/hyperledger/indy-node/blob/master/CHANGELOG.md#1123
- https://github.com/advisories/GHSA-3gw4-m5w7-v89c
Blast Radius: 7.2
Affected Packages
pypi:indy-node
Dependent packages: 1Dependent repositories: 9
Downloads: 2,826 last month
Affected Version Ranges: = 1.12.2
Fixed in: 1.12.3
All affected versions: 1.12.2
All unaffected versions: 0.0.2, 0.0.3, 0.0.4, 0.0.12, 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.0.25, 0.0.28, 0.0.30, 0.0.31, 0.0.32, 0.4.27, 1.0.28, 1.0.29, 1.1.1, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.1.35, 1.1.36, 1.1.37, 1.1.38, 1.1.39, 1.1.40, 1.1.41, 1.1.42, 1.1.43, 1.2.44, 1.2.45, 1.2.46, 1.2.47, 1.2.48, 1.2.49, 1.2.50, 1.3.51, 1.3.52, 1.3.53, 1.3.54, 1.3.55, 1.3.56, 1.3.57, 1.3.58, 1.3.59, 1.3.60, 1.3.61, 1.3.62, 1.4.63, 1.4.64, 1.4.65, 1.4.66, 1.5.67, 1.5.68, 1.6.69, 1.6.70, 1.6.71, 1.6.72, 1.6.73, 1.6.74, 1.6.75, 1.6.76, 1.6.77, 1.6.78, 1.6.79, 1.6.80, 1.6.81, 1.6.82, 1.6.83, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.2