Bug 1932014 (CVE-2021-22883)
| Summary: | CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bdettelb, hhorak, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, scorneli, sgallagh, tchollingsworth, thrcka, tomckay, vmugicag, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | node 15.10.0, node 14.16.0, node 12.21.0, node 10.24.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening. If no file descriptor limit is configured, then this can lead to an excessive memory usage and cause the system to run out of memory. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-04 19:01:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1932015, 1932016, 1932017, 1932018, 1932019, 1932020, 1932021, 1932305, 1932306, 1932307, 1932308, 1932309, 1932310, 1932311, 1932313, 1932314, 1932315, 1932316, 1932317, 1932318, 1932371, 1932372, 1932373, 1932374, 1933634, 1933635, 1933636, 1934597, 1934598, 1934599 | ||
| Bug Blocks: | 1932033 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-02-23 19:18:15 UTC
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1932015] Affects: fedora-all [bug 1932019] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932016] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932020] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932017] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932018] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932021] Upstream fix : nodejs-15: https://github.com/nodejs/node/commit/4184806deed6b6c393dd8737aab1dc0c78a24c78 nodejs-14: https://github.com/nodejs/node/commit/afea10b09785996348fc198c8aa97eb10a05cec9 nodejs-12: https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b nodejs-10: https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f Statement: Red Hat Quay from version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0734 https://access.redhat.com/errata/RHSA-2021:0734 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0735 https://access.redhat.com/errata/RHSA-2021:0735 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22883 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0739 https://access.redhat.com/errata/RHSA-2021:0739 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0741 https://access.redhat.com/errata/RHSA-2021:0741 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0738 https://access.redhat.com/errata/RHSA-2021:0738 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0740 https://access.redhat.com/errata/RHSA-2021:0740 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0744 https://access.redhat.com/errata/RHSA-2021:0744 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0827 https://access.redhat.com/errata/RHSA-2021:0827 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0830 https://access.redhat.com/errata/RHSA-2021:0830 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0831 https://access.redhat.com/errata/RHSA-2021:0831 |