grpc downgrade caused vulnerability scan issue #12021
Comments
|
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight. |
|
The version should be 1.49.1. Please share the Package.resolved. |
Correct, the version that has been used by us now is 1.49.1, however, according to our blackduck scan result, this version has a denial-of-service (DoS) vulnerability. Here is the description: |
|
For more info, here is the link that describes the detail about the vulnerabilities of grpc 1.49.1: |
|
I identified this bug, wrote the CVE, and authored the fix for gRPC. I don't consider gRPC clients talking to trusted servers to be vulnerable to this CVE, and would recommend using the latest version of gRPC that is available without downgrading. The primary vulnerability discovered was for a proxy using gRPC to communicate to a single backend over a single channel. In that case it was possible to trick the proxy into sharing headers (sometimes secrets) from other clients of the proxy. Since Firebase is not a proxy it is not vulnerable to this information leak. Secondary bugs discovered during investigation of this bug will affect Firebase, but would need a malicious peer to trigger - they rely on protocol use that is outside of what normally functioning HTTP/2 stacks would generate. There is a small risk of a tertiary bug that would cause unexpected disconnections after (at least) days of communications - which is a usage pattern I don't expect an iOS library to exhibit. |
Here is our package.resolved file content: {
"object": {
"pins": [
{
"package": "abseil",
"repositoryURL": "https://github.com/google/abseil-cpp-binary.git",
"state": {
"branch": null,
"revision": "bfc0b6f81adc06ce5121eb23f628473638d67c5c",
"version": "1.2022062300.0"
}
},
{
"package": "AppAuth",
"repositoryURL": "https://github.com/openid/AppAuth-iOS",
"state": {
"branch": null,
"revision": "71cde449f13d453227e687458144bde372d30fc7",
"version": "1.6.2"
}
},
{
"package": "CombineExt",
"repositoryURL": "https://github.com/CombineCommunity/CombineExt.git",
"state": {
"branch": null,
"revision": "d7b896fa9ca8b47fa7bcde6b43ef9b70bf8c1f56",
"version": "1.8.1"
}
},
{
"package": "Firebase",
"repositoryURL": "https://github.com/firebase/firebase-ios-sdk",
"state": {
"branch": null,
"revision": "8a8ec57a272e0d31480fb0893dda0cf4f769b57e",
"version": "10.15.0"
}
},
{
"package": "GoogleAppMeasurement",
"repositoryURL": "https://github.com/google/GoogleAppMeasurement.git",
"state": {
"branch": null,
"revision": "03b9beee1a61f62d32c521e172e192a1663a5e8b",
"version": "10.13.0"
}
},
{
"package": "GoogleDataTransport",
"repositoryURL": "https://github.com/google/GoogleDataTransport.git",
"state": {
"branch": null,
"revision": "aae45a320fd0d11811820335b1eabc8753902a40",
"version": "9.2.5"
}
},
{
"package": "GoogleUtilities",
"repositoryURL": "https://github.com/google/GoogleUtilities.git",
"state": {
"branch": null,
"revision": "c38ce365d77b04a9a300c31061c5227589e5597b",
"version": "7.11.5"
}
},
{
"package": "gRPC",
"repositoryURL": "https://github.com/google/grpc-binary.git",
"state": {
"branch": null,
"revision": "f1b366129d1125be7db83247e003fc333104b569",
"version": "1.50.2"
}
},
{
"package": "GTMSessionFetcher",
"repositoryURL": "https://github.com/google/gtm-session-fetcher.git",
"state": {
"branch": null,
"revision": "d415594121c9e8a4f9d79cecee0965cf35e74dbd",
"version": "3.1.1"
}
},
{
"package": "InteropForGoogle",
"repositoryURL": "https://github.com/google/interop-ios-for-google-sdks.git",
"state": {
"branch": null,
"revision": "2d12673670417654f08f5f90fdd62926dc3a2648",
"version": "100.0.0"
}
},
{
"package": "leveldb",
"repositoryURL": "https://github.com/firebase/leveldb.git",
"state": {
"branch": null,
"revision": "0706abcc6b0bd9cedfbb015ba840e4a780b5159b",
"version": "1.22.2"
}
},
{
"package": "nanopb",
"repositoryURL": "https://github.com/firebase/nanopb.git",
"state": {
"branch": null,
"revision": "819d0a2173aff699fb8c364b6fb906f7cdb1a692",
"version": "2.30909.0"
}
},
{
"package": "swift-collections",
"repositoryURL": "https://github.com/apple/swift-collections",
"state": {
"branch": null,
"revision": "a902f1823a7ff3c9ab2fba0f992396b948eda307",
"version": "1.0.5"
}
},
{
"package": "LDSwiftEventSource",
"repositoryURL": "https://github.com/LaunchDarkly/swift-eventsource.git",
"state": {
"branch": null,
"revision": "3d45eacab476f9bb2c58662cfb2d35088140b25b",
"version": "3.1.1"
}
},
{
"package": "xctest-dynamic-overlay",
"repositoryURL": "https://github.com/pointfreeco/xctest-dynamic-overlay",
"state": {
"branch": null,
"revision": "23cbf2294e350076ea4dbd7d5d047c1e76b03631",
"version": "1.0.2"
}
}
]
},
"version": 1
} |
|
Given that we don't consider the Firestore SDK vulnerable to this exploit at this time, we're not immediately releasing an updated version of the Firebase SDK with a newer version of the grpc library. However, we are planning to update the grpc version we use soon. |
|
Planning to update to gRPC 1.62.* in Firebase 10.23.0 |
|
The update to 1.62.* is merged. 10.23.0 should release the week of March 19th |
Description
Our recent scan shows that in Firebase iOS 10.16.0 release the grpc has been downgraded to 1.44.0 which expose a denial-of-service (DoS) vulnerability.
Reproducing the issue
No response
Firebase SDK Version
10.16.0
Xcode Version
15.0
Installation Method
Swift Package Manager
Firebase Product(s)
All
Targeted Platforms
iOS
Relevant Log Output
No response
If using Swift Package Manager, the project's Package.resolved
Expand
Package.resolvedsnippetReplace this line with the contents of your Package.resolved.If using CocoaPods, the project's Podfile.lock
Expand
Podfile.locksnippetReplace this line with the contents of your Podfile.lock!The text was updated successfully, but these errors were encountered: