CVE-2021-21369

Name of the Vulnerable Software and Affected Versions Hyperledger Besu versions prior to 1.5.1

Description The issue involves a denial-of-service vulnerability in the HTTP JSON-RPC API service. When username and password authentication is enabled, an attacker can overload the login endpoint with invalid requests, causing the processing of other valid requests to fail. This is because the password validity check is performed on the main event loop and takes a relatively long time. A valid username is required to expose this issue.

Recommendations For versions prior to 1.5.1, update to version 1.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the login endpoint or disabling username and password authentication for the HTTP JSON-RPC API service until the update can be applied.