Eight new DoS vulnerabilities in HTTP/2 implementations were disclosed
today, as detailed by CERT Vulnerability Note VU#605641
. gRPC implementations were
potentially impacted by the following: CVE-2019-9512 (Ping Flood),
CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood).
The following versions of gRPC contain fixes to these CVEs:
- gRPC-Go: 1.23.0, 1.22.2, 1.21.3
- Original fix: grpc/grpc-go#2970
- gRPC-Java: 1.23.0, 1.22.2, 1.21.1
- (These releases are currently available but may not be indexed on
- Original fix: grpc/grpc-java#6056
- gRPC-C and wrapped languages: 1.23.0, 1.22.1
- (Releases currently in progress.)
- Original fix: grpc/grpc#19924
We recommend updating to one of these releases as soon as possible.