Report
I believe I've identified a vulnerability in Hyperledegr Besu where its possible to cause an interruption/denial of service for the HTTP JSON-RPC API service (Potential to also impact websocket service)
If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials.
A single user can readily overload the login endpoint with invalid requests (incorrect password).
As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail.
A valid username is required for this vulnerability to be exposed.
Reporter
Ian Cusden ian.cusden@gmail.com
Impact
- Potential DoS from a remote network position
- All versions of Besu are impacted
- Attacker needs to know a valid username
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Report
I believe I've identified a vulnerability in Hyperledegr Besu where its possible to cause an interruption/denial of service for the HTTP JSON-RPC API service (Potential to also impact websocket service)
If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials.
A single user can readily overload the login endpoint with invalid requests (incorrect password).
As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail.
A valid username is required for this vulnerability to be exposed.
Reporter
Ian Cusden ian.cusden@gmail.com
Impact
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: