data/reports/GO-2022-1148.yaml - vulndb - Git at Google

 modules:
   - module: github.com/libp2p/go-libp2p
     versions:
       - fixed: 0.18.0
     vulnerable_at: 0.18.0-rc1
     packages:
       - package: github.com/libp2p/go-libp2p
         symbols:
           - New
         derived_symbols:
           - DefaultStaticRelays
           - Muxer
           - NewWithoutDefaults
           - Security
           - Transport
       - package: github.com/libp2p/go-libp2p/config
         symbols:
           - MuxerConstructor
           - makeMuxer
           - TransportConstructor
           - makeTransports
           - makeArgumentConstructors
           - makeConstructor
           - SecurityConstructor
         derived_symbols:
           - Config.NewNode
       - package: github.com/libp2p/go-libp2p/p2p/host/autonat
         symbols:
           - client.DialBack
           - autoNATService.handleStream
         derived_symbols:
           - New
       - package: github.com/libp2p/go-libp2p/p2p/host/basic
         symbols:
           - BasicHost.newStreamHandler
         derived_symbols:
           - NewHost
       - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay
         symbols:
           - NewRelay
       - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client
         symbols:
           - Client.connectV1
           - Client.connectV2
           - Client.Dial
       - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay
         symbols:
           - New
           - Relay.Close
           - Relay.handleStream
           - Relay.handleConnect
       - package: github.com/libp2p/go-libp2p/p2p/protocol/holepunch
         symbols:
           - Service.initiateHolePunch
           - Service.incomingHolePunch
           - Service.handleNewStream
         derived_symbols:
           - Service.DirectConnect
           - netNotifiee.Connected
 description: |
     go-libp2p is vulnerable to targeted resource exhaustion attacks.

     These attacks target libp2p's connection, stream, peer, and memory
     management. An attacker can cause the allocation of large amounts of memory
     ultimately leading to the process getting killed by the host's operating
     system.

     While a connection manager tasked with keeping the number of connections
     within manageable limits has been part of go-libp2p, this component was
     designed to handle the regular churn of peers, not a targeted resource
     exhaustion attack.

     It's recommend to update to v0.21.0 onwards to get some useful functionality
     that will help in production environments like better metrics around
     resource usage, Grafana dashboards around resource usage, allow list
     support, and default autoscaling limits.
 cves:
   - CVE-2022-23492
 ghsas:
   - GHSA-j7qp-mfxf-8xjw
 references:
   - advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
   - fix: https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de
	modules:
	- module: github.com/libp2p/go-libp2p
	versions:
	- fixed: 0.18.0
	vulnerable_at: 0.18.0-rc1
	packages:
	- package: github.com/libp2p/go-libp2p
	symbols:
	- New
	derived_symbols:
	- DefaultStaticRelays
	- Muxer
	- NewWithoutDefaults
	- Security
	- Transport
	- package: github.com/libp2p/go-libp2p/config
	symbols:
	- MuxerConstructor
	- makeMuxer
	- TransportConstructor
	- makeTransports
	- makeArgumentConstructors
	- makeConstructor
	- SecurityConstructor
	derived_symbols:
	- Config.NewNode
	- package: github.com/libp2p/go-libp2p/p2p/host/autonat
	symbols:
	- client.DialBack
	- autoNATService.handleStream
	derived_symbols:
	- New
	- package: github.com/libp2p/go-libp2p/p2p/host/basic
	symbols:
	- BasicHost.newStreamHandler
	derived_symbols:
	- NewHost
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay
	symbols:
	- NewRelay
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client
	symbols:
	- Client.connectV1
	- Client.connectV2
	- Client.Dial
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay
	symbols:
	- New
	- Relay.Close
	- Relay.handleStream
	- Relay.handleConnect
	- package: github.com/libp2p/go-libp2p/p2p/protocol/holepunch
	symbols:
	- Service.initiateHolePunch
	- Service.incomingHolePunch
	- Service.handleNewStream
	derived_symbols:
	- Service.DirectConnect
	- netNotifiee.Connected
	description: \|
	go-libp2p is vulnerable to targeted resource exhaustion attacks.

	These attacks target libp2p's connection, stream, peer, and memory
	management. An attacker can cause the allocation of large amounts of memory
	ultimately leading to the process getting killed by the host's operating
	system.

	While a connection manager tasked with keeping the number of connections
	within manageable limits has been part of go-libp2p, this component was
	designed to handle the regular churn of peers, not a targeted resource
	exhaustion attack.

	It's recommend to update to v0.21.0 onwards to get some useful functionality
	that will help in production environments like better metrics around
	resource usage, Grafana dashboards around resource usage, allow list
	support, and default autoscaling limits.
	cves:
	- CVE-2022-23492
	ghsas:
	- GHSA-j7qp-mfxf-8xjw
	references:
	- advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
	- fix: https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de