Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN501
_____________________________________________________________________

DATE                : 12/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache bRPC versions prior to
                                        1.14.1.

=====================================================================
https://lists.apache.org/thread/r3xsy3wvs4kmfhc281173k5b6ll1xt2m
_____________________________________________________________________

CVE-2025-54472: Apache bRPC: Redis Parser Remote Denial of Service
Severity: important 

Affected versions:

- Apache bRPC before 1.14.1

Description:

Unlimited memory allocation in redis protocol parser in Apache bRPC
(all versions < 1.14.1) on all platforms allows attackers to crash
the service via network.


Root Cause: In the bRPC Redis protocol parser code, memory for arrays
or strings of corresponding sizes is allocated based on the integers
read from the network. If the integer read from the network is too
large, it may cause a bad alloc error and lead to the program crashing.
Attackers can exploit this feature by sending special data packets to
the bRPC service to carry out a denial-of-service attack on it.
The bRPC 1.14.0 version tried to fix this issue by limited the memory
allocation size, however, the limitation checking code is not well
implemented that may cause integer overflow and evade such limitation.
So the 1.14.0 version is also vulnerable, although the integer range
that affect version 1.14.0 is different from that affect version < 1.14.0.



Affected scenarios: Using bRPC as a Redis server to provide network
services to untrusted clients, or using bRPC as a Redis client to call
untrusted Redis services.



How to Fix: we provide two methods, you can choose one of them:

1. Upgrade bRPC to version 1.14.1.
2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.

No matter you choose which method, you should note that the patch limits
the maximum length of memory allocated for each time in the bRPC Redis
parser. The default limit is 64M. If some of you redis request or response
have a size larger than 64M, you might encounter error after upgrade. For
such case, you can modify the gflag redis_max_allocation_size to set a
larger limit.


Credit:

Tyler Zars (reporter)


References:

https://brpc.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-54472



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================