grpc downgrade caused vulnerability scan issue

[blacklinker]

Description

Our recent scan shows that in Firebase iOS 10.16.0 release the grpc has been downgraded to 1.44.0 which expose a denial-of-service (DoS) vulnerability.

Reproducing the issue

No response

Firebase SDK Version

10.16.0

Xcode Version

15.0

Installation Method

Swift Package Manager

Firebase Product(s)

All

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[paulb777]

The version should be 1.49.1. Please share the Package.resolved.

[blacklinker]

The version should be 1.49.1. Please share the Package.resolved.

Correct, the version that has been used by us now is 1.49.1, however, according to our blackduck scan result, this version has a denial-of-service (DoS) vulnerability.

Here is the description:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

[blacklinker]

For more info, here is the link that describes the detail about the vulnerabilities of grpc 1.49.1:
https://nvd.nist.gov/vuln/detail/CVE-2023-32731

[ctiller]

I identified this bug, wrote the CVE, and authored the fix for gRPC.

I don't consider gRPC clients talking to trusted servers to be vulnerable to this CVE, and would recommend using the latest version of gRPC that is available without downgrading.

The primary vulnerability discovered was for a proxy using gRPC to communicate to a single backend over a single channel. In that case it was possible to trick the proxy into sharing headers (sometimes secrets) from other clients of the proxy. Since Firebase is not a proxy it is not vulnerable to this information leak.

Secondary bugs discovered during investigation of this bug will affect Firebase, but would need a malicious peer to trigger - they rely on protocol use that is outside of what normally functioning HTTP/2 stacks would generate.

There is a small risk of a tertiary bug that would cause unexpected disconnections after (at least) days of communications - which is a usage pattern I don't expect an iOS library to exhibit.

[blacklinker]

The version should be 1.49.1. Please share the Package.resolved.

Here is our package.resolved file content:

{
  "object": {
    "pins": [
      {
        "package": "abseil",
        "repositoryURL": "https://github.com/google/abseil-cpp-binary.git",
        "state": {
          "branch": null,
          "revision": "bfc0b6f81adc06ce5121eb23f628473638d67c5c",
          "version": "1.2022062300.0"
        }
      },
      {
        "package": "AppAuth",
        "repositoryURL": "https://github.com/openid/AppAuth-iOS",
        "state": {
          "branch": null,
          "revision": "71cde449f13d453227e687458144bde372d30fc7",
          "version": "1.6.2"
        }
      },
      {
        "package": "CombineExt",
        "repositoryURL": "https://github.com/CombineCommunity/CombineExt.git",
        "state": {
          "branch": null,
          "revision": "d7b896fa9ca8b47fa7bcde6b43ef9b70bf8c1f56",
          "version": "1.8.1"
        }
      },
      {
        "package": "Firebase",
        "repositoryURL": "https://github.com/firebase/firebase-ios-sdk",
        "state": {
          "branch": null,
          "revision": "8a8ec57a272e0d31480fb0893dda0cf4f769b57e",
          "version": "10.15.0"
        }
      },
      {
        "package": "GoogleAppMeasurement",
        "repositoryURL": "https://github.com/google/GoogleAppMeasurement.git",
        "state": {
          "branch": null,
          "revision": "03b9beee1a61f62d32c521e172e192a1663a5e8b",
          "version": "10.13.0"
        }
      },
      {
        "package": "GoogleDataTransport",
        "repositoryURL": "https://github.com/google/GoogleDataTransport.git",
        "state": {
          "branch": null,
          "revision": "aae45a320fd0d11811820335b1eabc8753902a40",
          "version": "9.2.5"
        }
      },
      {
        "package": "GoogleUtilities",
        "repositoryURL": "https://github.com/google/GoogleUtilities.git",
        "state": {
          "branch": null,
          "revision": "c38ce365d77b04a9a300c31061c5227589e5597b",
          "version": "7.11.5"
        }
      },
      {
        "package": "gRPC",
        "repositoryURL": "https://github.com/google/grpc-binary.git",
        "state": {
          "branch": null,
          "revision": "f1b366129d1125be7db83247e003fc333104b569",
          "version": "1.50.2"
        }
      },
      {
        "package": "GTMSessionFetcher",
        "repositoryURL": "https://github.com/google/gtm-session-fetcher.git",
        "state": {
          "branch": null,
          "revision": "d415594121c9e8a4f9d79cecee0965cf35e74dbd",
          "version": "3.1.1"
        }
      },
      {
        "package": "InteropForGoogle",
        "repositoryURL": "https://github.com/google/interop-ios-for-google-sdks.git",
        "state": {
          "branch": null,
          "revision": "2d12673670417654f08f5f90fdd62926dc3a2648",
          "version": "100.0.0"
        }
      },
      {
        "package": "leveldb",
        "repositoryURL": "https://github.com/firebase/leveldb.git",
        "state": {
          "branch": null,
          "revision": "0706abcc6b0bd9cedfbb015ba840e4a780b5159b",
          "version": "1.22.2"
        }
      },
      {
        "package": "nanopb",
        "repositoryURL": "https://github.com/firebase/nanopb.git",
        "state": {
          "branch": null,
          "revision": "819d0a2173aff699fb8c364b6fb906f7cdb1a692",
          "version": "2.30909.0"
        }
      },
      {
        "package": "swift-collections",
        "repositoryURL": "https://github.com/apple/swift-collections",
        "state": {
          "branch": null,
          "revision": "a902f1823a7ff3c9ab2fba0f992396b948eda307",
          "version": "1.0.5"
        }
      },
      {
        "package": "LDSwiftEventSource",
        "repositoryURL": "https://github.com/LaunchDarkly/swift-eventsource.git",
        "state": {
          "branch": null,
          "revision": "3d45eacab476f9bb2c58662cfb2d35088140b25b",
          "version": "3.1.1"
        }
      },
      {
        "package": "xctest-dynamic-overlay",
        "repositoryURL": "https://github.com/pointfreeco/xctest-dynamic-overlay",
        "state": {
          "branch": null,
          "revision": "23cbf2294e350076ea4dbd7d5d047c1e76b03631",
          "version": "1.0.2"
        }
      }
    ]
  },
  "version": 1
}

[MarkDuckworth]

Given that we don't consider the Firestore SDK vulnerable to this exploit at this time, we're not immediately releasing an updated version of the Firebase SDK with a newer version of the grpc library. However, we are planning to update the grpc version we use soon.

[paulb777]

Planning to update to gRPC 1.62.* in Firebase 10.23.0

[paulb777]

The update to 1.62.* is merged. 10.23.0 should release the week of March 19th