Login Sign Up

CVE-2021-36153

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in gRPC Swift allows remote attackers to cause denial of service by sending malformed requests that trigger mismanaged state in the GRPCWebToHTTP2ServerCodec component. It affects systems running gRPC Swift 1.1.0 or 1.1.1 with gRPC-Web functionality enabled. The vulnerability can be exploited without authentication.

💻 Affected Systems

Products:
  • gRPC Swift
Versions: 1.1.0 through 1.1.1
Operating Systems: All platforms running Swift
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using gRPC-Web functionality. Standard gRPC over HTTP/2 is not affected.

📦 What is this software?

Grpc Swift by Linuxfoundation

View all CVEs affecting Grpc Swift →

Grpc Swift by Linuxfoundation

View all CVEs affecting Grpc Swift →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability requiring server restart, potentially affecting multiple services if gRPC Swift is used as a foundational component.

🟠

Likely Case

Service degradation or temporary unavailability affecting gRPC-Web endpoints until the malformed request processing is stopped.

🟢

If Mitigated

Minimal impact with proper request validation and rate limiting in place before requests reach the vulnerable component.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability was discovered through fuzzing (OSS-Fuzz), and malformed request generation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0 or later

Vendor Advisory: https://github.com/grpc/grpc-swift/security/advisories/GHSA-2jx2-qcm4-rf9h

Restart Required: Yes

Instructions:

1. Update gRPC Swift to version 1.2.0 or later using Swift Package Manager: update package dependency to 'from: "1.2.0"'. 2. Rebuild and redeploy your application. 3. Restart affected services.

🔧 Temporary Workarounds

Disable gRPC-Web endpoints

all

Temporarily disable gRPC-Web functionality if not required

Modify server configuration to remove GRPCWebToHTTP2ServerCodec usage

Implement request filtering

all

Add WAF or proxy rules to filter malformed requests before they reach gRPC Swift

Configure WAF rules to block requests with malformed gRPC-Web headers

🧯 If You Can't Patch

  • Implement strict rate limiting on gRPC-Web endpoints to limit impact
  • Deploy network-level protections (WAF) to filter malformed requests before they reach the vulnerable component

🔍 How to Verify

Check if Vulnerable:

Check Package.swift or Package.resolved for gRPC Swift dependency version 1.1.0 or 1.1.1

Check Version:

grep -r 'grpc-swift' Package.swift | grep -E '1\.1\.0|1\.1\.1'

Verify Fix Applied:

Verify gRPC Swift version is 1.2.0 or later in Package.swift and rebuild application

📡 Detection & Monitoring

Log Indicators:

  • Sudden increase in connection resets on gRPC-Web endpoints
  • Error logs containing 'GRPCWebToHTTP2ServerCodec' with state management errors

Network Indicators:

  • Multiple malformed HTTP requests to gRPC-Web endpoints from single sources
  • Abnormal request patterns with invalid gRPC-Web headers

SIEM Query:

source="application_logs" AND ("GRPCWebToHTTP2ServerCodec" OR "state management error") AND severity=ERROR

📊 Metadata

CVE ID: CVE-2021-36153
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: July 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON