Hyperledger Indy DOS vulnerability

indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network's expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

未加控制的资源消耗(资源穷尽)

Indy Node 资源管理错误漏洞

Indy Node是美国Hyperledger开源的一种分布式账本的服务器部分。专为去中心化身份构建。 Indy Node 存在资源管理错误漏洞，该漏洞源于攻击者可以使用indy-node存储库中提供的指导部署最大化分类帐允许的客户端连接数，从而使分类帐无法用于其预期目的。

N/A

N/A