CVE-2023-46132

Name of the Vulnerable Software and Affected Versions Hyperledger Fabric versions prior to 2.2.14 and 2.5.5

Description The issue arises from the way Hyperledger Fabric hashes transactions in a block, which allows an adversary to manipulate the transactions without changing the computed hash of the block. This can lead to a peer parsing transactions differently, resulting in a deviation of its world state from other peers. The vulnerability can be exploited to create a "cross-linked block" that alters the way peers process transactions, potentially causing a fork in the network. There are no known workarounds for this issue.

Recommendations To resolve the issue, users are advised to upgrade to version 2.2.14 or 2.5.5, which include additional validations to detect potential cross-linking issues before processing blocks. For versions prior to 2.2.14 and 2.5.5, consider applying the proposed patch that adds a VerifyTransactionsAreWellFormed function to ensure the integrity of transactions in a block. As a temporary workaround, consider implementing additional validation checks on transactions to detect any potential manipulation.