We don't want to share details about how to reproduce it because it would do more harm than good. Action required here to mitigate this is to update gRPC to the version with the fix.
On Thursday, October 26, 2023 at 11:48:24 PM UTC-7 yh zhou wrote: > Are there any POCs or steps to reproduce this vulnerability in grpc can > be provided? And what operations can user take to reduce the risk of attack > at present. > > 在2023年10月26日星期四 UTC+8 04:26:11<veb...@google.com> 写道: > >> gRPC C++, Python, and Ruby will soon have a 1.59.2 patch release to >> address CVE-2023-44487. Thus, 1.60 or later will have this fix. >> gRPC ObjC and PHP are not affected by this CVE because they do not >> support the server feature that has the vulnerability. >> >> >> On Tuesday, October 24, 2023 at 6:56:22 AM UTC-7 Hemant Jain wrote: >> >>> I see there's PR for the same https://github.com/grpc/grpc/pull/34763. >>> does this takes care of python module too? >>> >>> On Monday, October 23, 2023 at 9:25:59 AM UTC+5:30 yh zhou wrote: >>> >>>> I'm also looking for the same information. It would be of great help >>>> if anything effective replied. Thanks. >>>> >>>> -zhouyh >>>> 在2023年10月11日星期三 UTC+8 15:14:58<Mikko Rantanen> 写道: >>>> >>>>> Hey! >>>>> >>>>> We have tried to find some sort of official clarification on >>>>> whether/how gRPC is affected by CVE-2023-44487. Is there more information >>>>> on this somewhere? >>>>> >>>>> The closest related thing we could find were recent changes to >>>>> concurrent streams and RST_STREAM: >>>>> https://github.com/grpc/grpc/commit/6a49e953a4df6ea8aa4378de575b0a7a59421f30, >>>>> >>>>> but even that doesn't reference CVE-2023-44487 in any way, so not sure if >>>>> that is relevant here. >>>>> >>>>> - Mikko >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ea00787a-87da-440a-83a8-194942e6760dn%40googlegroups.com.
