Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930. References: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1993030] Affects: fedora-all [bug 1993031] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993032] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993033] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993034] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993035] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993036] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1993038]
Upstream notes that this CVE is for an incomplete fix for CVE-2021-22930, which is tracked via bug 1988394.
This seems to be the upstream fix, even though it references the original CVE: https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6 https://github.com/nodejs/node/pull/39622
Flaw summary: The underlying flaw is the same as the one identified by CVE-2021-22930. The original fix[1] released upstream for that flaw introduced a check which was based on the stream state: `if (session_->is_in_scope() && !is_writable() && is_reading())` before adding it to the pending stream list. However, this could be manipulated by an attacker and thus leave node.js still vulnerable to the flaw. The new patch[2] instead checks for the frame error code NGHTTP2_CANCEL before adding the RST_STREAM frame to the pending list. Adding the stream to the pending list prevents the data from being force purged and mitigates the double free. 1. https://github.com/nodejs/node/pull/39423/commits/59497fbec184dc0f4f6b9209e3812cc0b5aae113 2. https://github.com/nodejs/node/pull/39622/commits/1b61414ccdd0e1b5969219ba3ec7664d1f3ab495
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22940
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666