CVE-2023-31039: Apache bRPC Remote Code Execution Vulnerability

Apache bRPC, an industrial-grade RPC framework utilizing C++ language, has recently come under scrutiny due to a critical security vulnerability. Widely employed in high-performance systems such as search, storage, machine learning, advertisement, and recommendation, bRPC is an Apache Top-Level Project. The vulnerability in question, CVE-2023-31039, has been classified as “important” in terms of severity and affects Apache bRPC versions 0.9.0 through 1.4.9 across all platforms.

The vulnerability lies in Apache bRPC’s ServerOptions::pid_file parameter, which, if exploited, can lead to arbitrary code execution by an attacker. By influencing the ServerOptions pid_file parameter during the initiation of the bRPC server, an attacker can execute arbitrary code with the same permissions as the bRPC process, potentially compromising the system’s integrity.

To mitigate the risks posed by the CVE-2023-31039 vulnerability, users of Apache bRPC are advised to take the following steps:

1. Upgrade to Apache bRPC version 1.5.0 or higher. The latest release can be downloaded here.

2. If upgrading to a newer version of bRPC is not feasible, users can apply a patch to their existing installation. This patch can be accessed via this link.

In addition to implementing the above solutions, it is crucial to ensure that the brpc::ServerOptions::pid_file is set from user input. This step helps prevent unauthorized access and maintain the overall security of the Apache bRPC framework.