Bug 1993029 (CVE-2021-22940) - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
Summary: CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22940
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1993030 1993031 1993032 1993033 1993034 1993035 1993036 1993038 1993098 1993100 1993102 1993091 1993092 1993093 1993094 1993095 1993096 1993097 1993099 1993101
Blocks: 1993049
TreeView+ depends on / blocked
 
Reported: 2021-08-12 09:49 UTC by Dhananjay Arunesh
Modified: 2021-11-18 10:45 UTC (History)
17 users (show)

Fixed In Version: nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2021-08-26 15:35:22 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:24 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:33:05 UTC
Red Hat Product Errata RHBA-2021:4731 0 None None None 2021-11-18 10:45:16 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:19:06 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:37 UTC
Red Hat Product Errata RHSA-2021:3623 0 None None None 2021-09-21 13:12:56 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:01:09 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:47 UTC
Red Hat Product Errata RHSA-2021:3666 0 None None None 2021-09-27 07:29:17 UTC

Description Dhananjay Arunesh 2021-08-12 09:49:19 UTC
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

References:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Comment 1 Dhananjay Arunesh 2021-08-12 09:51:08 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 1993030]
Affects: fedora-all [bug 1993031]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993032]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993033]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993034]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993035]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993036]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993038]

Comment 3 Tomas Hoger 2021-08-12 10:40:52 UTC
Upstream notes that this CVE is for an incomplete fix for CVE-2021-22930, which is tracked via bug 1988394.

Comment 4 Tomas Hoger 2021-08-12 10:49:38 UTC
This seems to be the upstream fix, even though it references the original CVE:

https://github.com/nodejs/node/commit/a3c33d4ce78f74d1cf1765704af5b427aa3840a6
https://github.com/nodejs/node/pull/39622

Comment 6 Todd Cullum 2021-08-12 19:36:31 UTC
Flaw summary:

The underlying flaw is the same as the one identified by CVE-2021-22930. The original fix[1] released upstream for that flaw introduced a check which was based on the stream state: `if (session_->is_in_scope() && !is_writable() && is_reading())` before adding it to the pending stream list. However, this could be manipulated by an attacker and thus leave node.js still vulnerable to the flaw. The new patch[2] instead checks for the frame error code NGHTTP2_CANCEL before adding the RST_STREAM frame to the pending list. Adding the stream to the pending list prevents the data from being force purged and mitigates the double free.

1. https://github.com/nodejs/node/pull/39423/commits/59497fbec184dc0f4f6b9209e3812cc0b5aae113
2. https://github.com/nodejs/node/pull/39622/commits/1b61414ccdd0e1b5969219ba3ec7664d1f3ab495

Comment 8 errata-xmlrpc 2021-08-26 10:15:35 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 9 errata-xmlrpc 2021-08-26 10:19:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 10 Product Security DevOps Team 2021-08-26 15:35:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22940

Comment 11 errata-xmlrpc 2021-09-21 13:12:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623

Comment 12 errata-xmlrpc 2021-09-22 08:51:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 13 errata-xmlrpc 2021-09-22 09:01:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638

Comment 15 errata-xmlrpc 2021-09-27 07:29:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666


Note You need to log in before you can comment on or make changes to this bug.