Bug 1963121 (CVE-2021-23017)
| Summary: | CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bcoca, bihu, chousekn, cmeyers, davidn, ecotoper, felix, gblomqui, gghezzo, gparvin, hhorak, jcammara, jeremy, jhardy, jkaluza, jobarker, jorton, jramanat, kaycoth, kkeane, luhliari, mabashia, notting, ollie.yeoh, osapryki, pavel.lisy, peter.borsa, relrod, rpetrell, rschiron, sdoran, security-response-team, smcdonal, stcannon, tjena, tkuratom, wtogami |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nginx 1.21.0, nginx 1.20.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nginx. An off-by-one error while processing DNS responses allows a network attacker to write a dot character out of bounds in a heap allocated buffer which can allow overwriting the least significant byte of next heap chunk metadata likely leading to a remote code execution in certain circumstances. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-07 09:03:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1963168, 1963169, 1963170, 1963171, 1963172, 1963173, 1963174, 1963175, 1963176, 1963177, 1963178, 1963179, 1963180, 1963181, 1963182, 1963183, 1964526, 1964528, 1964814, 1964820, 1964821, 1974876, 1974878, 1995719, 1996068, 1996071, 1996073, 2031030, 2031031 | ||
| Bug Blocks: | 1962173 | ||
This flaw can be triggered only when `resolver` directive is used in the configuration file of nginx. This directive is used to configure name servers which are used to resolve names of upstream servers into addresses. When the directive is used, a malicious DNS server or an attacker who can intercept and modify the traffic from the DNS server to the nginx server, could trigger this flaw. According to nginx documentation "To prevent DNS spoofing, it is recommended configuring DNS servers in a properly secured trusted local network.", however even in that case we cannot exclude internal attackers who could have access to the local network anyway. As this flaw could be abused by unauthenticated remote users to execute arbitrary code, I set the Impact to Important. Function ngx_resolver_copy() in ngx_resolver.c decompress domain names in DNS messages, however it does not correctly consider the case when a compressed domain name is composed of one or more labels followed by a pointer to the root domain name. In that case it writes the character `.` after the allocated buffer. The Quay container `quay/quay-rhel8` does package nginx however it is installed as an RPM from RHEL. As such quay is not accounted here because once the updated RHEL RPM is released the container will be respun. Analysis is complete for Ansible components. Affected version of nginx are in use in AAP 1.2 and Tower 3.6 and 3.7. However, trackers will be created for AAP 1.2 and Tower 3.7 only as Tower 3.6 became EOL on 14th May 2021. Looks like this went public before we expected. References: https://www.openwall.com/lists/oss-security/2021/05/25/5 http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html Upstream patch: https://nginx.org/download/patch.2021.resolver.txt Created nginx tracking bugs for this issue: Affects: epel-7 [bug 1964821] Affects: fedora-all [bug 1964820] This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:2258 https://access.redhat.com/errata/RHSA-2021:2258 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23017 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2259 https://access.redhat.com/errata/RHSA-2021:2259 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:2278 https://access.redhat.com/errata/RHSA-2021:2278 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Red Hat Enterprise Linux 8.2 Extended Update Support Red Hat Enterprise Linux 8 Via RHSA-2021:2290 https://access.redhat.com/errata/RHSA-2021:2290 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8 Via RHSA-2021:3653 https://access.redhat.com/errata/RHSA-2021:3653 This is fixed on 3scale-2.11, no minor release needed for 2.10, product decided. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:3873 https://access.redhat.com/errata/RHSA-2021:3873 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2021:3925 https://access.redhat.com/errata/RHSA-2021:3925 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618 Has this issue been addressed in the nginx:1.20 module stream for Red Hat Enterprise Linux 8? This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0323 https://access.redhat.com/errata/RHSA-2022:0323 |
An off-by-one error in ngx_resolver_copy() while processing DNS responses allows a network attacker to write a dot character ('.', 0x2E) out of bounds in a heap allocated buffer. The vulnerability can be triggered by a DNS response in reply to a DNS request from nginx when the resolver primitive is configured. A specially crafted packet allows overwriting the least significant byte of next heap chunk metadata with 0x2E. A network attacker capable of providing DNS responses to a nginx server can likely achieve remote code execution.