Crosslinking transaction attack in hyperledger/fabric
Description
Hyperledger Fabric is an open source permissioned distributed ledger framework. Combining two molecules to one another, called "cross-linking" results in a molecule with a chemical formula that is composed of all atoms of the original two molecules. In Fabric, one can take a block of transactions and cross-link the transactions in a way that alters the way the peers parse the transactions. If a first peer receives a block B and a second peer receives a block identical to B but with the transactions being cross-linked, the second peer will parse transactions in a different way and thus its world state will deviate from the first peer. Orderers or peers cannot detect that a block has its transactions cross-linked, because there is a vulnerability in the way Fabric hashes the transactions of blocks. It simply and naively concatenates them, which is insecure and lets an adversary craft a "cross-linked block" (block with cross-linked transactions) which alters the way peers process transactions. For example, it is possible to select a transaction and manipulate a peer to completely avoid processing it, without changing the computed hash of the block. Additional validations have been added in v2.2.14 and v2.5.5 to detect potential cross-linking issues before processing blocks. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hyperledger/fabricGo | >= 1.0.0-alpha, < 2.2.14 | 2.2.14 |
github.com/hyperledger/fabricGo | >= 2.3.0, < 2.5.5 | 2.5.5 |
Affected products
5- osv-coords4 versionspkg:bitnami/hyperledger-fabric-ordererpkg:bitnami/hyperledger-fabric-peerpkg:bitnami/hyperledger-fabric-toolspkg:golang/github.com/hyperledger/fabric
>= 1.0.0, < 2.2.14+ 3 more
- (no CPE)range: >= 1.0.0, < 2.2.14
- (no CPE)range: >= 1.0.0, < 2.2.14
- (no CPE)range: >= 1.0.0, < 2.2.14
- (no CPE)range: >= 1.0.0-alpha, < 2.2.14
- Range: >= 1.0.0, < 2.2.14
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-v9w2-543f-h69mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46132ghsaADVISORY
- github.com/hyperledger/fabric/commit/389b2e66de9a6fbc6043216d554c97bbbdf0e008ghsaWEB
- github.com/hyperledger/fabric/commit/93bef10bd3ce3c54d7f3b064f765dbde61da7defghsaWEB
- github.com/hyperledger/fabric/pull/4503ghsaWEB
- github.com/hyperledger/fabric/pull/4504ghsaWEB
- github.com/hyperledger/fabric/releases/tag/v2.2.14ghsaWEB
- github.com/hyperledger/fabric/releases/tag/v2.5.5ghsaWEB
- github.com/hyperledger/fabric/security/advisories/GHSA-v9w2-543f-h69mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.