data/reports/GO-2022-1148.yaml - vulndb - Git at Google

 modules:
   - module: github.com/libp2p/go-libp2p
     versions:
       - fixed: 0.18.0
     vulnerable_at: 0.18.0-rc1
     packages:
       - package: github.com/libp2p/go-libp2p
         symbols:
           - New
       - package: github.com/libp2p/go-libp2p/config
         symbols:
           - MuxerConstructor
           - makeMuxer
           - TransportConstructor
           - makeTransports
           - makeArgumentConstructors
           - makeConstructor
           - SecurityConstructor
         derived_symbols:
           - Config.NewNode
       - package: github.com/libp2p/go-libp2p/p2p/host/autonat
         symbols:
           - client.DialBack
           - autoNATService.handleStream
         derived_symbols:
           - New
       - package: github.com/libp2p/go-libp2p/p2p/host/basic
         symbols:
           - BasicHost.newStreamHandler
         derived_symbols:
           - NewHost
       - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay
         symbols:
           - NewRelay
       - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client
         symbols:
           - Client.connectV1
           - Client.connectV2
           - Client.Dial
       - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay
         symbols:
           - New
           - Relay.Close
           - Relay.handleStream
           - Relay.handleConnect
       - package: github.com/libp2p/go-libp2p/p2p/protocol/holepunch
         symbols:
           - Service.initiateHolePunch
           - Service.incomingHolePunch
           - Service.handleNewStream
         derived_symbols:
           - Service.DirectConnect
           - netNotifiee.Connected
 description: |
     go-libp2p is vulnerable to targeted resource exhaustion attacks. These
     attacks target libp2p's connection,stream, peer, and memory management. An
     attacker can cause the allocation of large amounts of memory, ultimately
     leading to the process getting killed by the host's operating system. While
     a connection manager tasked with keeping the number of connections within
     manageable limits has been part of go-libp2p, this component was designed
     to handle the regular churn of peers, not a targeted resource exhaustion
     attack.

     It's recommend that you update to v0.21.0 onwards as you'll get some useful
     functionality that will help in production environments like better metrics
     around resource usage, Grafana dashboards around resource usage, allow list
     support, and default autoscaling limits.
 cves:
   - CVE-2022-23492
 ghsas:
   - GHSA-j7qp-mfxf-8xjw
 references:
   - advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
   - fix: https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de
	modules:
	- module: github.com/libp2p/go-libp2p
	versions:
	- fixed: 0.18.0
	vulnerable_at: 0.18.0-rc1
	packages:
	- package: github.com/libp2p/go-libp2p
	symbols:
	- New
	- package: github.com/libp2p/go-libp2p/config
	symbols:
	- MuxerConstructor
	- makeMuxer
	- TransportConstructor
	- makeTransports
	- makeArgumentConstructors
	- makeConstructor
	- SecurityConstructor
	derived_symbols:
	- Config.NewNode
	- package: github.com/libp2p/go-libp2p/p2p/host/autonat
	symbols:
	- client.DialBack
	- autoNATService.handleStream
	derived_symbols:
	- New
	- package: github.com/libp2p/go-libp2p/p2p/host/basic
	symbols:
	- BasicHost.newStreamHandler
	derived_symbols:
	- NewHost
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay
	symbols:
	- NewRelay
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client
	symbols:
	- Client.connectV1
	- Client.connectV2
	- Client.Dial
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay
	symbols:
	- New
	- Relay.Close
	- Relay.handleStream
	- Relay.handleConnect
	- package: github.com/libp2p/go-libp2p/p2p/protocol/holepunch
	symbols:
	- Service.initiateHolePunch
	- Service.incomingHolePunch
	- Service.handleNewStream
	derived_symbols:
	- Service.DirectConnect
	- netNotifiee.Connected
	description: \|
	go-libp2p is vulnerable to targeted resource exhaustion attacks. These
	attacks target libp2p's connection,stream, peer, and memory management. An
	attacker can cause the allocation of large amounts of memory, ultimately
	leading to the process getting killed by the host's operating system. While
	a connection manager tasked with keeping the number of connections within
	manageable limits has been part of go-libp2p, this component was designed
	to handle the regular churn of peers, not a targeted resource exhaustion
	attack.

	It's recommend that you update to v0.21.0 onwards as you'll get some useful
	functionality that will help in production environments like better metrics
	around resource usage, Grafana dashboards around resource usage, allow list
	support, and default autoscaling limits.
	cves:
	- CVE-2022-23492
	ghsas:
	- GHSA-j7qp-mfxf-8xjw
	references:
	- advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
	- fix: https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de