Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. Reference: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/#update-23-feb-2021-security-releases-available
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1932015] Affects: fedora-all [bug 1932019] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932016] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932020] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932017] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932018] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1932021]
Upstream fix : nodejs-15: https://github.com/nodejs/node/commit/4184806deed6b6c393dd8737aab1dc0c78a24c78 nodejs-14: https://github.com/nodejs/node/commit/afea10b09785996348fc198c8aa97eb10a05cec9 nodejs-12: https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b nodejs-10: https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f
Statement: Red Hat Quay from version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0734 https://access.redhat.com/errata/RHSA-2021:0734
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0735 https://access.redhat.com/errata/RHSA-2021:0735
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22883
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0739 https://access.redhat.com/errata/RHSA-2021:0739
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0741 https://access.redhat.com/errata/RHSA-2021:0741
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0738 https://access.redhat.com/errata/RHSA-2021:0738
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0740 https://access.redhat.com/errata/RHSA-2021:0740
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0744 https://access.redhat.com/errata/RHSA-2021:0744
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0827 https://access.redhat.com/errata/RHSA-2021:0827
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0830 https://access.redhat.com/errata/RHSA-2021:0830
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:0831 https://access.redhat.com/errata/RHSA-2021:0831