Bug 1988394 (CVE-2021-22930) - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
Summary: CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22930
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1988395 1988397 1988399 1988400 1988592 1988602 1988604 1988593 1988594 1988595 1988596 1988597 1988598 1988599 1988600 1988601 1988603 1988605 1988606 1988607 1988608 1989186 1989187 1989188 1989189
Blocks: 1988398
TreeView+ depends on / blocked
 
Reported: 2021-07-30 13:29 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-18 10:45 UTC (History)
17 users (show)

Fixed In Version: nodejs 12.22.4, nodejs 14.17.4, nodejs 16.6.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-08-26 15:34:59 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:19 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:32:59 UTC
Red Hat Product Errata RHBA-2021:4731 0 None None None 2021-11-18 10:45:11 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:18:55 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:25 UTC
Red Hat Product Errata RHSA-2021:3623 0 None None None 2021-09-21 13:12:28 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:00:54 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:33 UTC
Red Hat Product Errata RHSA-2021:3666 0 None None None 2021-09-27 07:29:05 UTC

Description Guilherme de Almeida Suckevicz 2021-07-30 13:29:24 UTC
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Reference:
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/

Comment 1 Guilherme de Almeida Suckevicz 2021-07-30 13:30:39 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988395]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988397]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988399]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1988400]

Comment 6 Todd Cullum 2021-07-30 23:55:47 UTC
Flaw summary:

Node.js misuses the nghttp2 HTTP/2 library by allowing a JavaScript program to call a non-reentrant function at a time when it is not allowed by the nghttp2 library. This causes a double-free when triggered. At this time, it is understood that the security flaw is in Node.js rather than nghttp2, since Node.js did not follow the nghttp2 docs with regard to usage of reentrants. In particular, the upstream reporter of this flaw was able to craft a  JavaScript program which gets Node.js to make a call to nghttp2_session_close_stream() and ultimately to the nghttp2_session_mem_send() function from within an nghttp2 callback, which is not allowed[1][2].

In the particular circumstance of the upstream report, the grpc library was used to trigger this double free flaw in node.js. There is a separate issue on upstream grpc's bug tracker where this flaw was reported earlier on and determined to be an issue within Node.js itself.[3] This means that other JavaScript programs could potentially trigger similar behavior in unpatched versions of Node.js, for code paths using nghttp2.

1. https://nghttp2.org/documentation/programmers-guide.html#remarks
2. https://github.com/nghttp2/nghttp2/issues/1590
3. https://github.com/grpc/grpc-node/issues/1464

Comment 13 errata-xmlrpc 2021-08-26 10:15:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 14 errata-xmlrpc 2021-08-26 10:18:53 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 15 Product Security DevOps Team 2021-08-26 15:34:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22930

Comment 16 errata-xmlrpc 2021-09-21 13:12:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623

Comment 17 errata-xmlrpc 2021-09-22 08:51:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 18 errata-xmlrpc 2021-09-22 09:00:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638

Comment 20 errata-xmlrpc 2021-09-27 07:29:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666


Note You need to log in before you can comment on or make changes to this bug.