Hide Forgot
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Reference: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1988395] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1988397] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1988399] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1988400]
Upstream bug tracker: https://github.com/nodejs/node/issues/38964#issue-914407106 Related upstream PRs: https://github.com/nodejs/node/pull/39076 https://github.com/nodejs/node/pull/39423
Flaw summary: Node.js misuses the nghttp2 HTTP/2 library by allowing a JavaScript program to call a non-reentrant function at a time when it is not allowed by the nghttp2 library. This causes a double-free when triggered. At this time, it is understood that the security flaw is in Node.js rather than nghttp2, since Node.js did not follow the nghttp2 docs with regard to usage of reentrants. In particular, the upstream reporter of this flaw was able to craft a JavaScript program which gets Node.js to make a call to nghttp2_session_close_stream() and ultimately to the nghttp2_session_mem_send() function from within an nghttp2 callback, which is not allowed[1][2]. In the particular circumstance of the upstream report, the grpc library was used to trigger this double free flaw in node.js. There is a separate issue on upstream grpc's bug tracker where this flaw was reported earlier on and determined to be an issue within Node.js itself.[3] This means that other JavaScript programs could potentially trigger similar behavior in unpatched versions of Node.js, for code paths using nghttp2. 1. https://nghttp2.org/documentation/programmers-guide.html#remarks 2. https://github.com/nghttp2/nghttp2/issues/1590 3. https://github.com/grpc/grpc-node/issues/1464
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22930
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666