NVD

NOTICE UPDATED - April, 25th 2024

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

CVE-2023-34450 Detail

Description

CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct `PeerState` is serialized to JSON introduced a deadlock when new function MarshallJSON is called. This function can be called from two places. The first is via logs, setting the `consensus` logging module to "debug" level (should not happen in production), and setting the log output format to JSON. The second is via RPC `dump_consensus_state`. Case 1, which should not be hit in production, will eventually hit the deadlock in most goroutines, effectively halting the node. In case 2, only the data structures related to the first peer will be deadlocked, together with the thread(s) dealing with the RPC request(s). This means that only one of the channels of communication to the node's peers will be blocked. Eventually the peer will timeout and excluded from the list (typically after 2 minutes). The goroutines involved in the deadlock will not be garbage collected, but they will not interfere with the system after the peer is excluded. The theoretical worst case for case 2, is a network with only two validator nodes. In this case, each of the nodes only has one `PeerState` struct. If `dump_consensus_state` is called in either node (or both), the chain will halt until the peer connections time out, after which the nodes will reconnect (with different `PeerState` structs) and the chain will progress again. Then, the same process can be repeated. As the number of nodes in a network increases, and thus, the number of peer struct each node maintains, the possibility of reproducing the perturbation visible with two nodes decreases. Only the first `PeerState` struct will deadlock, and not the others (RPC `dump_consensus_state` accesses them in a for loop, so the deadlock at the first iteration causes the rest of the iterations of that "for" loop to never be reached). This regression was fixed in versions 0.34.29 and 0.37.2. Some workarounds are available. For case 1 (hitting the deadlock via logs), either don't set the log output to "json", leave at "plain", or don't set the consensus logging module to "debug", leave it at "info" or higher. For case 2 (hitting the deadlock via RPC `dump_consensus_state`), do not expose `dump_consensus_state` RPC endpoint to the public internet (e.g., via rules in one's nginx setup).

Severity

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: 5.3 MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Nist CVSS score does not match with CNA score

CNA: GitHub, Inc.

Base Score: 3.7 LOW

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: It is possible that the NVD CVSS may not match that of the CNA. The most common reason for this is that publicly available information does not provide sufficient detail or that information simply was not available at the time the CVSS vector string was assigned.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/cometbft/cometbft/pull/524	Exploit Patch
https://github.com/cometbft/cometbft/pull/863	Patch
https://github.com/cometbft/cometbft/pull/865	Patch
https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr	Exploit Issue Tracking Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-401	Missing Release of Memory after Effective Lifetime	GitHub, Inc.
CWE-770	Allocation of Resources Without Limits or Throttling	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

1 change records found show changes

Initial Analysis by NIST 7/17/2023 2:56:29 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:a:cometbft:cometbft::::::::* versions from (including) 0.34.28 up to (excluding) 0.34.29 cpe:2.3:a:cometbft:cometbft::::::::* versions from (including) 0.37.1 up to (excluding) 0.37.2
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Changed	Reference Type	https://github.com/cometbft/cometbft/pull/524 No Types Assigned	https://github.com/cometbft/cometbft/pull/524 Exploit, Patch
Changed	Reference Type	https://github.com/cometbft/cometbft/pull/863 No Types Assigned	https://github.com/cometbft/cometbft/pull/863 Patch
Changed	Reference Type	https://github.com/cometbft/cometbft/pull/865 No Types Assigned	https://github.com/cometbft/cometbft/pull/865 Patch
Changed	Reference Type	https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr No Types Assigned	https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr Exploit, Issue Tracking, Patch

Quick Info

CVE Dictionary Entry:
CVE-2023-34450
NVD Published Date:
07/03/2023
NVD Last Modified:
07/17/2023
Source:
GitHub, Inc.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database