Skip to content

Improper Input Validation in orderer/common/cluster consensus request

High
ryjones published GHSA-72x4-cq6r-jp4p Jul 7, 2022

Package

gomod orderer/common/cluster (Go)

Affected versions

<2.2.7, <2.4.5

Patched versions

2.2.7, 2.4.5

Description

Impact

If a consensus client sends a malformed consensus request to an orderer it may crash the orderer node.
This fix checks for the malformed consensus request and returns an error to the consensus client.

Patches

Fixed in v2.2.7 and v2.4.5.

Workarounds

None, users must upgrade to v2.2.7 or v2.4.5.

References

https://github.com/hyperledger/fabric/releases/tag/v2.2.7
https://github.com/hyperledger/fabric/releases/tag/v2.4.5

For more information

If you have any questions or comments about this advisory:

Credits

Thank you to Haosheng Wang of OPPO ZIWU Security Lab for this disclosure.

Severity

High

CVE ID

CVE-2022-31121

Weaknesses

Credits