Bug 1993029 (CVE-2021-22940)

Summary: CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarif, bdettelb, caswilli, fjansen, hhorak, jnakfour, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-26 15:35:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1993030, 1993031, 1993032, 1993033, 1993034, 1993035, 1993036, 1993038, 1993091, 1993092, 1993093, 1993094, 1993095, 1993096, 1993097, 1993098, 1993099, 1993100, 1993101, 1993102    
Bug Blocks: 1993049    

Description Dhananjay Arunesh 2021-08-12 09:49:19 UTC 
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

References:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Comment 1 Dhananjay Arunesh 2021-08-12 09:51:08 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 1993030]
Affects: fedora-all [bug 1993031]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993032]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993033]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993034]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993035]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993036]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993038]
Comment 3 Tomas Hoger 2021-08-12 10:40:52 UTC 
Upstream notes that this CVE is for an incomplete fix for CVE-2021-22930, which is tracked via bug 1988394.
Comment 4 Tomas Hoger 2021-08-12 10:49:38 UTC 
This seems to be the upstream fix, even though it references the original CVE:

https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6
https://github.com/nodejs/node/pull/39622
Comment 6 Todd Cullum 2021-08-12 19:36:31 UTC 
Flaw summary:

The underlying flaw is the same as the one identified by CVE-2021-22930. The original fix[1] released upstream for that flaw introduced a check which was based on the stream state: `if (session_->is_in_scope() && !is_writable() && is_reading())` before adding it to the pending stream list. However, this could be manipulated by an attacker and thus leave node.js still vulnerable to the flaw. The new patch[2] instead checks for the frame error code NGHTTP2_CANCEL before adding the RST_STREAM frame to the pending list. Adding the stream to the pending list prevents the data from being force purged and mitigates the double free.

1. https://github.com/nodejs/node/pull/39423/commits/59497fbec184dc0f4f6b9209e3812cc0b5aae113
2. https://github.com/nodejs/node/pull/39622/commits/1b61414ccdd0e1b5969219ba3ec7664d1f3ab495
Comment 8 errata-xmlrpc 2021-08-26 10:15:35 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
Comment 9 errata-xmlrpc 2021-08-26 10:19:04 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
Comment 10 Product Security DevOps Team 2021-08-26 15:35:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22940
Comment 11 errata-xmlrpc 2021-09-21 13:12:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
Comment 12 errata-xmlrpc 2021-09-22 08:51:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
Comment 13 errata-xmlrpc 2021-09-22 09:01:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
Comment 15 errata-xmlrpc 2021-09-27 07:29:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666