Resolve CVE-2023-32731

[reyang]

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

grpc/grpc#32309

[codecov]

Codecov Report

Merging #4647 (ab4ce47) into main (66a6062) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4647   +/-   ##
=======================================
  Coverage   84.98%   84.99%           
=======================================
  Files         314      314           
  Lines       12683    12685    +2     
=======================================
+ Hits        10779    10781    +2     
  Misses       1904     1904           

Impacted Files	Coverage Δ
...tation.AspNetCore/Implementation/HttpInListener.cs	90.47% <100.00%> (+0.10%)	⬆️

[alanwest]

Are you sure 2.52.0 contains the fix? Based on the PR you reference, it looks like when it was merged its commit is tagged with 2.53.0 grpc/grpc@29d8bee

[alanwest]

Oh, my mistake the fix was the PR is against the core grpc repo not Grpc.Net.Client.

[utpilla]

2.52.0 is also the lowest available version of the package with no known vulnerabilities.

https://www.nuget.org/packages/Grpc.Net.Client

[reyang]

https://www.nuget.org/packages/Grpc.Net.Client this is the one we'll be using.
I guess the general rule here is to reference the lowest version that is not deprecated?

[alanwest]

@Kielek heads up...

[utpilla]

@open-telemetry/dotnet-instrumentation-maintainers FYI

[Kielek]

@alanwest, thanks for the information. Unfortunately, it is a good reason to update.