Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-qppj-fm5r-hxr3] swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack #2860

Closed

Conversation

joakime
Copy link

@joakime joakime commented Oct 16, 2023

Updates

  • Affected products
  • CVSS
  • Severity

Comments
This advisory is co-opting the public CVE-2023-44487 found referenced everywhere on github now.
Those references should point to something like https://nvd.nist.gov/vuln/detail/CVE-2023-44487, not this Advisory.

Also, the CVSS score for the public CVE https://nvd.nist.gov/vuln/detail/CVE-2023-44487 is 7.5 High - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (not the low number on this advisory)

To make the rest of the github sane, please remove the CVE id from this advisory, or make this advisory have it's own unique CVE id.

@github
Copy link
Collaborator

github commented Oct 16, 2023

Hi there @Lukasa! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to joakime/advisory-improvement-2860 October 16, 2023 21:52
@darakian
Copy link
Contributor

This advisory is co-opting the public CVE-2023-44487 found referenced everywhere on github now.

Can you expand on what you mean there?

@joakime
Copy link
Author

joakime commented Oct 18, 2023

This advisory is co-opting the public CVE-2023-44487 found referenced everywhere on github now.

Can you expand on what you mean there?

CVE-2023-4487 is a public CVE, not assigned to any specific product or project.
The swift-nio-http2 group did not request a new CVE, but manually attached this global (spec level) CVE to advisory their advisory GHSA-qppj-fm5r-hxr3

What this means, is that every reference to CVE-2023-4487 on github (as text, not as a link) is now linking to this swift-nio-http2 advisory. (this is wrong)
(Even this Comment on this PR is doing it!)

Examples in Discussions:

Examples in Release Notes:

Examples in Issues:

Examples in PRs:

@darakian
Copy link
Contributor

We can generalize the text to read more generically if that's what you're asking for, but they do seem to be affected by this CVE. I don't see how this is co-opting. If the CVE/GHSA auto linking is the concern then starting a discussion or issue in this repo is probably a better approach.

@joakime
Copy link
Author

joakime commented Oct 19, 2023

The process at github for advisories is an overall good thing.
The fact that this advisory can exist, and reference the CVE-2023-4487, to have these impacted packages on swift-nio-http update on the top level CVE is also a good thing!

I don't see how this is co-opting.

co-opting is probably a poor word choice.
I can't find a better short phrase / word.

It's really "confusing the daylights out of other users" is what's going on.

If the CVE/GHSA auto linking is the concern then starting a discussion or issue in this repo is probably a better approach.

This repo? as in https://github.com/github/advisory-database ? Will do.
Probably going to suggest some kind of "disambiguation" or "search results" style of linking instead of directly to the most recent advisory.

@joakime
Copy link
Author

joakime commented Oct 19, 2023

Filed as Issue #2869

@Lukasa
Copy link

Lukasa commented Oct 19, 2023

Yeah, to clarify here we liaised with CloudFlare who specifically asked that affected implementations should use this CVE number, so we did. I think this suggests that GitHub may want to slightly tweak the implementation story, but if we hear feedback from CloudFlare that they'd like us to use a different number, we can of course do so.

@joakime
Copy link
Author

joakime commented Oct 19, 2023

@Lukasa that's correct, your advisory here is meant to update the top level CVE-2023-44487 by adding the details from this Advisory to the "Known Affected Software Configurations".

Which it has btw, see https://nvd.nist.gov/vuln/detail/CVE-2023-44487 (you appear to be Configuration 10 on that list at the time of this comment)

I represent Eclipse Jetty, and we are Configuration 5. (We got our configuration into the CVE at the beginning, back on Oct 10th, but didn't do it via a Github Advisory)

What isn't correct, is that this specific advisory is representing itself all over github as CVE-2023-44487.

I started this PR as a change to this specific advisory to quit representing itself as CVE-2023-44487.
@darakian has indicated that the behavior isn't meant to be corrected by modifying this advisory, but rather as a more general Issue. So I submitted Issue #2869 to hopefully get it corrected.

@darakian
Copy link
Contributor

@joakime apologies for the delay. We can still make changes to this advisory to make it read more generically, but ya the root cause is unlikely to be fixed quickly. Do you want to close this PR out and follow up on the other issue or would generalizing this advisory also help?

@joakime
Copy link
Author

joakime commented Oct 31, 2023

@darakian if you feel that issue #2869 is the more appropriate way to handle this, then this PR can be closed in favor of working that more general solution.

@darakian
Copy link
Contributor

@joakime. I think that might be a better place to start. We can always reopen this if need be, but I'll close this PR for now 😃

@darakian darakian closed this Oct 31, 2023
@github-actions github-actions bot deleted the joakime-GHSA-qppj-fm5r-hxr3 branch October 31, 2023 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants