PT-2022-16026 · Go-Libp2P · Go-Libp2P
P-Shahi
·
Published
2022-12-07
·
Updated
2023-07-14
·
CVE-2022-23492
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
go-libp2p versions 0.18.0 and older
Description
The issue concerns targeted resource exhaustion attacks that affect libp2p's connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host's operating system. While a connection manager is part of go-libp2p to keep connections within manageable limits, it was designed to handle regular peer churn, not targeted resource exhaustion attacks.
Recommendations
To resolve the issue, upgrade go-libp2p to version 0.18.1 or newer. For versions prior to 0.18.1, consider the following:
- Update your go-libp2p dependency to go-libp2p v0.18.1 or greater.
- Determine appropriate limits for your application, as go-libp2p sets up a resource manager with default limits if none are provided.
- Configure your node to be attack resilient by setting up automatic blocking with fail2ban using canonical libp2p log lines.
- Consider updating to v0.21.0 or newer for additional functionality that helps in production environments, such as better metrics around resource usage and default autoscaling limits. For users unable to upgrade, consult the denial of service (dos) mitigation page for more information on incorporating mitigation strategies, monitoring your application, and responding to attacks.
Exploit
Fix
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Go-Libp2P