Bug 1932014 (CVE-2021-22883) - CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
Summary: CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22883
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1932015 1932305 1932309 1932311 1933636 1932016 1932017 1932018 1932019 1932020 1932021 1932306 1932307 1932308 1932310 1932313 1932314 1932315 1932316 1932317 1932318 1932371 1932372 1932373 1932374 1933634 1933635 1934597 1934598 1934599
Blocks: 1932033
TreeView+ depends on / blocked
 
Reported: 2021-02-23 19:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-04-27 07:22 UTC (History)
15 users (show)

Fixed In Version: node 15.10.0, node 14.16.0, node 12.21.0, node 10.24.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening. If no file descriptor limit is configured, then this can lead to an excessive memory usage and cause the system to run out of memory. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-03-04 19:01:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0737 0 None None None 2021-03-08 01:23:54 UTC
Red Hat Product Errata RHBA-2021:0803 0 None None None 2021-03-10 16:58:16 UTC
Red Hat Product Errata RHBA-2021:0807 0 None None None 2021-03-10 17:28:22 UTC
Red Hat Product Errata RHBA-2021:0912 0 None None None 2021-03-17 06:02:54 UTC
Red Hat Product Errata RHBA-2021:0929 0 None None None 2021-03-18 10:23:16 UTC
Red Hat Product Errata RHSA-2021:0734 0 None None None 2021-03-04 15:59:24 UTC
Red Hat Product Errata RHSA-2021:0735 0 None None None 2021-03-04 16:05:08 UTC
Red Hat Product Errata RHSA-2021:0738 0 None None None 2021-03-08 10:23:06 UTC
Red Hat Product Errata RHSA-2021:0739 0 None None None 2021-03-08 10:14:41 UTC
Red Hat Product Errata RHSA-2021:0740 0 None None None 2021-03-08 10:27:13 UTC
Red Hat Product Errata RHSA-2021:0741 0 None None None 2021-03-08 10:19:55 UTC
Red Hat Product Errata RHSA-2021:0744 0 None None None 2021-03-08 10:32:56 UTC
Red Hat Product Errata RHSA-2021:0827 0 None None None 2021-03-15 14:50:13 UTC
Red Hat Product Errata RHSA-2021:0830 0 None None None 2021-03-15 14:53:10 UTC
Red Hat Product Errata RHSA-2021:0831 0 None None None 2021-03-15 14:57:21 UTC

Description Guilherme de Almeida Suckevicz 2021-02-23 19:18:15 UTC
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Reference:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/#update-23-feb-2021-security-releases-available

Comment 1 Guilherme de Almeida Suckevicz 2021-02-23 19:24:39 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1932015]
Affects: fedora-all [bug 1932019]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932016]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932020]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932017]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932018]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932021]

Comment 8 Jason Shepherd 2021-03-03 01:27:34 UTC
Statement:

Red Hat Quay from version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server.
[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security

Comment 10 errata-xmlrpc 2021-03-04 15:59:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0734 https://access.redhat.com/errata/RHSA-2021:0734

Comment 11 errata-xmlrpc 2021-03-04 16:05:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0735 https://access.redhat.com/errata/RHSA-2021:0735

Comment 12 Product Security DevOps Team 2021-03-04 19:01:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22883

Comment 13 errata-xmlrpc 2021-03-08 10:14:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0739 https://access.redhat.com/errata/RHSA-2021:0739

Comment 14 errata-xmlrpc 2021-03-08 10:19:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0741 https://access.redhat.com/errata/RHSA-2021:0741

Comment 15 errata-xmlrpc 2021-03-08 10:23:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0738 https://access.redhat.com/errata/RHSA-2021:0738

Comment 16 errata-xmlrpc 2021-03-08 10:27:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0740 https://access.redhat.com/errata/RHSA-2021:0740

Comment 17 errata-xmlrpc 2021-03-08 10:32:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0744 https://access.redhat.com/errata/RHSA-2021:0744

Comment 18 errata-xmlrpc 2021-03-15 14:50:13 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0827 https://access.redhat.com/errata/RHSA-2021:0827

Comment 19 errata-xmlrpc 2021-03-15 14:53:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0830 https://access.redhat.com/errata/RHSA-2021:0830

Comment 20 errata-xmlrpc 2021-03-15 14:57:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0831 https://access.redhat.com/errata/RHSA-2021:0831


Note You need to log in before you can comment on or make changes to this bug.