CVE-2023-44487 and CVE-2023-39325 affecting mlmd gRPC remote server?

google / ml-metadata

For recording and retrieving metadata associated with ML developer and data scientist workflows.

https://www.tensorflow.org/tfx/guide/mlmd

Apache License 2.0

626 stars 148 forks source link

CVE-2023-44487 and CVE-2023-39325 affecting mlmd gRPC remote server? #183

Open dhirajsb opened 1 year ago

dhirajsb commented 1 year ago

Since the remote mlmd server uses gRPC, there may need to be a fix released soon for the HTTP2 CVEs cve-2023-44487 cve-2023-39325? [edited: linked to public document]

dhirajsb commented 1 year ago

@XinranTang is this already being addressed by the mlmd team?

XinranTang commented 1 year ago

Hi @dhirajsb, thanks for opening this issue. Can you grant me access to the document and further help me understand why the current version of ml-metadata is affected by HTTP2 CVEs.

dhirajsb commented 1 year ago

Apologies, I accidentally used a link to a private Red Hat document. I have edited the link to a public document that also discusses how to mitigate the issue.

dhirajsb commented 1 year ago

I am not entirely sure whether the mlmd server is affected by this HTTP2 issue or not.