CVE-2023-34450

Name of the Vulnerable Software and Affected Versions CometBFT versions 0.34.28 through 0.34.28 CometBFT versions 0.37.1 through 0.37.1

Description An internal modification to the way struct PeerState is serialized to JSON introduced a deadlock when the new function MarshallJSON is called. This function can be called from two places: via logs by setting the consensus logging module to "debug" level and setting the log output format to JSON, and via RPC dump consensus state. In the first case, the deadlock will eventually hit in most goroutines, effectively halting the node. In the second case, only the data structures related to the first peer will be deadlocked, and the peer will timeout and be excluded from the list after 2 minutes. The theoretical worst case is a network with only two validator nodes, where the chain will halt until the peer connections time out. As the number of nodes in a network increases, the possibility of reproducing this perturbation decreases.

Recommendations For CometBFT versions 0.34.28, update to version 0.34.29 to fix the regression. For CometBFT versions 0.37.1, update to version 0.37.2 to fix the regression. As a temporary workaround for case 1, either don't set the log output to "json" or don't set the consensus logging module to "debug". As a temporary workaround for case 2, do not expose dump consensus state RPC endpoint to the public internet.