Bug 1988394 (CVE-2021-22930)

Summary: CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarif, bdettelb, caswilli, fjansen, hhorak, jnakfour, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 12.22.4, nodejs 14.17.4, nodejs 16.6.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-26 15:34:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1988395, 1988397, 1988399, 1988400, 1988592, 1988593, 1988594, 1988595, 1988596, 1988597, 1988598, 1988599, 1988600, 1988601, 1988602, 1988603, 1988604, 1988605, 1988606, 1988607, 1988608, 1989186, 1989187, 1989188, 1989189    
Bug Blocks: 1988398    

Description Guilherme de Almeida Suckevicz 2021-07-30 13:29:24 UTC 
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Reference:
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/
Comment 1 Guilherme de Almeida Suckevicz 2021-07-30 13:30:39 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988395]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988397]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988399]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988400]
Comment 2 Todd Cullum 2021-07-30 16:57:08 UTC 
Upstream bug tracker: https://github.com/nodejs/node/issues/38964#issue-914407106

Related upstream PRs:
https://github.com/nodejs/node/pull/39076
https://github.com/nodejs/node/pull/39423
Comment 6 Todd Cullum 2021-07-30 23:55:47 UTC 
Flaw summary:

Node.js misuses the nghttp2 HTTP/2 library by allowing a JavaScript program to call a non-reentrant function at a time when it is not allowed by the nghttp2 library. This causes a double-free when triggered. At this time, it is understood that the security flaw is in Node.js rather than nghttp2, since Node.js did not follow the nghttp2 docs with regard to usage of reentrants. In particular, the upstream reporter of this flaw was able to craft a  JavaScript program which gets Node.js to make a call to nghttp2_session_close_stream() and ultimately to the nghttp2_session_mem_send() function from within an nghttp2 callback, which is not allowed[1][2].

In the particular circumstance of the upstream report, the grpc library was used to trigger this double free flaw in node.js. There is a separate issue on upstream grpc's bug tracker where this flaw was reported earlier on and determined to be an issue within Node.js itself.[3] This means that other JavaScript programs could potentially trigger similar behavior in unpatched versions of Node.js, for code paths using nghttp2.

1. https://nghttp2.org/documentation/programmers-guide.html#remarks
2. https://github.com/nghttp2/nghttp2/issues/1590
3. https://github.com/grpc/grpc-node/issues/1464
Comment 13 errata-xmlrpc 2021-08-26 10:15:23 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
Comment 14 errata-xmlrpc 2021-08-26 10:18:53 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
Comment 15 Product Security DevOps Team 2021-08-26 15:34:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22930
Comment 16 errata-xmlrpc 2021-09-21 13:12:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
Comment 17 errata-xmlrpc 2021-09-22 08:51:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
Comment 18 errata-xmlrpc 2021-09-22 09:00:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
Comment 20 errata-xmlrpc 2021-09-27 07:29:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666