Bug 1993029 (CVE-2021-22940)
Summary: | CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aarif, bdettelb, caswilli, fjansen, hhorak, jnakfour, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-26 15:35:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1993030, 1993031, 1993032, 1993033, 1993034, 1993035, 1993036, 1993038, 1993091, 1993092, 1993093, 1993094, 1993095, 1993096, 1993097, 1993098, 1993099, 1993100, 1993101, 1993102 | ||
Bug Blocks: | 1993049 |
Description
Dhananjay Arunesh
2021-08-12 09:49:19 UTC
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1993030] Affects: fedora-all [bug 1993031] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993032] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993033] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993034] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993035] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993036] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993038] Upstream notes that this CVE is for an incomplete fix for CVE-2021-22930, which is tracked via bug 1988394. This seems to be the upstream fix, even though it references the original CVE: https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6 https://github.com/nodejs/node/pull/39622 Flaw summary: The underlying flaw is the same as the one identified by CVE-2021-22930. The original fix[1] released upstream for that flaw introduced a check which was based on the stream state: `if (session_->is_in_scope() && !is_writable() && is_reading())` before adding it to the pending stream list. However, this could be manipulated by an attacker and thus leave node.js still vulnerable to the flaw. The new patch[2] instead checks for the frame error code NGHTTP2_CANCEL before adding the RST_STREAM frame to the pending list. Adding the stream to the pending list prevents the data from being force purged and mitigates the double free. 1. https://github.com/nodejs/node/pull/39423/commits/59497fbec184dc0f4f6b9209e3812cc0b5aae113 2. https://github.com/nodejs/node/pull/39622/commits/1b61414ccdd0e1b5969219ba3ec7664d1f3ab495 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22940 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666 |