data/reports/GO-2022-1148.yaml - vulndb - Git at Google

 id: GO-2022-1148
 modules:
     - module: github.com/libp2p/go-libp2p
       versions:
         - fixed: 0.18.0
       vulnerable_at: 0.18.0-rc1
       packages:
         - package: github.com/libp2p/go-libp2p
           symbols:
             - New
           derived_symbols:
             - DefaultStaticRelays
             - Muxer
             - NewWithoutDefaults
             - Security
             - Transport
         - package: github.com/libp2p/go-libp2p/config
           symbols:
             - MuxerConstructor
             - makeMuxer
             - TransportConstructor
             - makeTransports
             - makeArgumentConstructors
             - makeConstructor
             - SecurityConstructor
           derived_symbols:
             - Config.NewNode
         - package: github.com/libp2p/go-libp2p/p2p/host/autonat
           symbols:
             - client.DialBack
             - autoNATService.handleStream
           derived_symbols:
             - New
         - package: github.com/libp2p/go-libp2p/p2p/host/basic
           symbols:
             - BasicHost.newStreamHandler
           derived_symbols:
             - NewHost
         - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay
           symbols:
             - NewRelay
         - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client
           symbols:
             - Client.connectV1
             - Client.connectV2
             - Client.Dial
         - package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay
           symbols:
             - New
             - Relay.Close
             - Relay.handleStream
             - Relay.handleConnect
         - package: github.com/libp2p/go-libp2p/p2p/protocol/holepunch
           symbols:
             - Service.initiateHolePunch
             - Service.incomingHolePunch
             - Service.handleNewStream
           derived_symbols:
             - Service.DirectConnect
             - netNotifiee.Connected
 summary: Resource exhaustion in github.com/libp2p/go-libp2p
 description: |-
     go-libp2p is vulnerable to targeted resource exhaustion attacks.

     These attacks target libp2p's connection, stream, peer, and memory management.
     An attacker can cause the allocation of large amounts of memory ultimately
     leading to the process getting killed by the host's operating system.

     While a connection manager tasked with keeping the number of connections within
     manageable limits has been part of go-libp2p, this component was designed to
     handle the regular churn of peers, not a targeted resource exhaustion attack.

     It's recommend to update to v0.21.0 onwards to get some useful functionality
     that will help in production environments like better metrics around resource
     usage, Grafana dashboards around resource usage, allow list support, and default
     autoscaling limits.
 cves:
     - CVE-2022-23492
 ghsas:
     - GHSA-j7qp-mfxf-8xjw
 references:
     - advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
     - fix: https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de
	id: GO-2022-1148
	modules:
	- module: github.com/libp2p/go-libp2p
	versions:
	- fixed: 0.18.0
	vulnerable_at: 0.18.0-rc1
	packages:
	- package: github.com/libp2p/go-libp2p
	symbols:
	- New
	derived_symbols:
	- DefaultStaticRelays
	- Muxer
	- NewWithoutDefaults
	- Security
	- Transport
	- package: github.com/libp2p/go-libp2p/config
	symbols:
	- MuxerConstructor
	- makeMuxer
	- TransportConstructor
	- makeTransports
	- makeArgumentConstructors
	- makeConstructor
	- SecurityConstructor
	derived_symbols:
	- Config.NewNode
	- package: github.com/libp2p/go-libp2p/p2p/host/autonat
	symbols:
	- client.DialBack
	- autoNATService.handleStream
	derived_symbols:
	- New
	- package: github.com/libp2p/go-libp2p/p2p/host/basic
	symbols:
	- BasicHost.newStreamHandler
	derived_symbols:
	- NewHost
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay
	symbols:
	- NewRelay
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client
	symbols:
	- Client.connectV1
	- Client.connectV2
	- Client.Dial
	- package: github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay
	symbols:
	- New
	- Relay.Close
	- Relay.handleStream
	- Relay.handleConnect
	- package: github.com/libp2p/go-libp2p/p2p/protocol/holepunch
	symbols:
	- Service.initiateHolePunch
	- Service.incomingHolePunch
	- Service.handleNewStream
	derived_symbols:
	- Service.DirectConnect
	- netNotifiee.Connected
	summary: Resource exhaustion in github.com/libp2p/go-libp2p
	description: \|-
	go-libp2p is vulnerable to targeted resource exhaustion attacks.

	These attacks target libp2p's connection, stream, peer, and memory management.
	An attacker can cause the allocation of large amounts of memory ultimately
	leading to the process getting killed by the host's operating system.

	While a connection manager tasked with keeping the number of connections within
	manageable limits has been part of go-libp2p, this component was designed to
	handle the regular churn of peers, not a targeted resource exhaustion attack.

	It's recommend to update to v0.21.0 onwards to get some useful functionality
	that will help in production environments like better metrics around resource
	usage, Grafana dashboards around resource usage, allow list support, and default
	autoscaling limits.
	cves:
	- CVE-2022-23492
	ghsas:
	- GHSA-j7qp-mfxf-8xjw
	references:
	- advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
	- fix: https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de