|
|
|
@ -1,5 +1,66 @@ |
|
|
|
# Changelog |
|
|
|
|
|
|
|
## v0.33.3 |
|
|
|
|
|
|
|
*April 6, 2020* |
|
|
|
|
|
|
|
This security release fixes: |
|
|
|
|
|
|
|
### Denial of service 1 |
|
|
|
|
|
|
|
Tendermint 0.33.2 and earlier does not limit P2P connection requests number. |
|
|
|
For each p2p connection, Tendermint allocates ~0.5MB. Even though this |
|
|
|
memory is garbage collected once the connection is terminated (due to duplicate |
|
|
|
IP or reaching a maximum number of inbound peers), temporary memory spikes can |
|
|
|
lead to OOM (Out-Of-Memory) exceptions. |
|
|
|
|
|
|
|
Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming |
|
|
|
connection requests to to `p2p.max_num_inbound_peers + |
|
|
|
len(p2p.unconditional_peer_ids)`. |
|
|
|
|
|
|
|
Notes: |
|
|
|
|
|
|
|
- Tendermint does not rate limit P2P connection requests per IP (an attacker |
|
|
|
can saturate all the inbound slots); |
|
|
|
- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC |
|
|
|
endpoints to the public, please make sure to put in place some protection |
|
|
|
(https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in |
|
|
|
the future ([\#1696](https://github.com/tendermint/tendermint/issues/1696)). |
|
|
|
|
|
|
|
### Denial of service 2 |
|
|
|
|
|
|
|
Tendermint 0.33.2 and earlier does not reclaim `activeID` of a peer after it's |
|
|
|
removed in `Mempool` reactor. This does not happen all the time. It only |
|
|
|
happens when a connection fails (for any reason) before the Peer is created and |
|
|
|
added to all reactors. `RemovePeer` is therefore called before `AddPeer`, which |
|
|
|
leads to always growing memory (`activeIDs` map). The `activeIDs` map has a |
|
|
|
maximum size of 65535 and the node will panic if this map reaches the maximum. |
|
|
|
An attacker can create a lot of connection attempts (exploiting Denial of |
|
|
|
service 1), which ultimately will lead to the node panicking. |
|
|
|
|
|
|
|
Tendermint 0.33.3 (and 0.32.10) claims `activeID` for a peer in `InitPeer`, |
|
|
|
which is executed before `MConnection` is started. |
|
|
|
|
|
|
|
Notes: |
|
|
|
|
|
|
|
- `InitPeer` function was added to all reactors to combat a similar issue - |
|
|
|
[\#3338](https://github.com/tendermint/tendermint/issues/3338); |
|
|
|
- Denial of service 2 is independent of Denial of service 1 and can be executed |
|
|
|
without it. |
|
|
|
|
|
|
|
**All clients are recommended to upgrade** |
|
|
|
|
|
|
|
Special thanks to [fudongbai](https://hackerone.com/fudongbai) for finding |
|
|
|
and reporting this. |
|
|
|
|
|
|
|
Friendly reminder, we have a [bug bounty |
|
|
|
program](https://hackerone.com/tendermint). |
|
|
|
|
|
|
|
### SECURITY: |
|
|
|
|
|
|
|
- [mempool] Reserve IDs in InitPeer instead of AddPeer (@tessr) |
|
|
|
- [p2p] Limit the number of incoming connections (@melekes) |
|
|
|
|
|
|
|
## v0.33.2 |
|
|
|
|
|
|
|
*March 11, 2020* |
|
|
|
|
Anton Kaliaev
5 years ago