Bug 1932014 (CVE-2021-22883) - CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
Summary: CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22883
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1932015 1932016 1932017 1932018 1932019 1932020 1932021 1932305 1932306 1932307 1932308 1932309 1932310 1932311 1932313 1932314 1932315 1932316 1932317 1932318 1932371 1932372 1932373 1932374 1933634 1933635 1933636 1934597 1934598 1934599
Blocks: 1932033
TreeView+ depends on / blocked
 
Reported: 2021-02-23 19:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:11 UTC (History)
15 users (show)

Fixed In Version: node 15.10.0, node 14.16.0, node 12.21.0, node 10.24.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening. If no file descriptor limit is configured, then this can lead to an excessive memory usage and cause the system to run out of memory. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-03-04 19:01:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0737 0 None None None 2021-03-08 01:23:54 UTC
Red Hat Product Errata RHBA-2021:0803 0 None None None 2021-03-10 16:58:16 UTC
Red Hat Product Errata RHBA-2021:0807 0 None None None 2021-03-10 17:28:22 UTC
Red Hat Product Errata RHBA-2021:0912 0 None None None 2021-03-17 06:02:54 UTC
Red Hat Product Errata RHBA-2021:0929 0 None None None 2021-03-18 10:23:16 UTC
Red Hat Product Errata RHSA-2021:0734 0 None None None 2021-03-04 15:59:24 UTC
Red Hat Product Errata RHSA-2021:0735 0 None None None 2021-03-04 16:05:08 UTC
Red Hat Product Errata RHSA-2021:0738 0 None None None 2021-03-08 10:23:06 UTC
Red Hat Product Errata RHSA-2021:0739 0 None None None 2021-03-08 10:14:41 UTC
Red Hat Product Errata RHSA-2021:0740 0 None None None 2021-03-08 10:27:13 UTC
Red Hat Product Errata RHSA-2021:0741 0 None None None 2021-03-08 10:19:55 UTC
Red Hat Product Errata RHSA-2021:0744 0 None None None 2021-03-08 10:32:56 UTC
Red Hat Product Errata RHSA-2021:0827 0 None None None 2021-03-15 14:50:13 UTC
Red Hat Product Errata RHSA-2021:0830 0 None None None 2021-03-15 14:53:10 UTC
Red Hat Product Errata RHSA-2021:0831 0 None None None 2021-03-15 14:57:21 UTC

Description Guilherme de Almeida Suckevicz 2021-02-23 19:18:15 UTC 
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Reference:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/#update-23-feb-2021-security-releases-available
Comment 1 Guilherme de Almeida Suckevicz 2021-02-23 19:24:39 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1932015]
Affects: fedora-all [bug 1932019]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932016]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932020]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932017]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932018]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1932021]
Comment 6 Cedric Buissart 2021-02-24 14:08:15 UTC 
Upstream fix :

nodejs-15: https://github.com/nodejs/node/commit/4184806deed6b6c393dd8737aab1dc0c78a24c78
nodejs-14: https://github.com/nodejs/node/commit/afea10b09785996348fc198c8aa97eb10a05cec9
nodejs-12: https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b
nodejs-10: https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f
Comment 8 Jason Shepherd 2021-03-03 01:27:34 UTC 
Statement:

Red Hat Quay from version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server.
[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
Comment 10 errata-xmlrpc 2021-03-04 15:59:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0734 https://access.redhat.com/errata/RHSA-2021:0734
Comment 11 errata-xmlrpc 2021-03-04 16:05:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0735 https://access.redhat.com/errata/RHSA-2021:0735
Comment 12 Product Security DevOps Team 2021-03-04 19:01:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22883
Comment 13 errata-xmlrpc 2021-03-08 10:14:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0739 https://access.redhat.com/errata/RHSA-2021:0739
Comment 14 errata-xmlrpc 2021-03-08 10:19:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0741 https://access.redhat.com/errata/RHSA-2021:0741
Comment 15 errata-xmlrpc 2021-03-08 10:23:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0738 https://access.redhat.com/errata/RHSA-2021:0738
Comment 16 errata-xmlrpc 2021-03-08 10:27:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0740 https://access.redhat.com/errata/RHSA-2021:0740
Comment 17 errata-xmlrpc 2021-03-08 10:32:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0744 https://access.redhat.com/errata/RHSA-2021:0744
Comment 18 errata-xmlrpc 2021-03-15 14:50:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0827 https://access.redhat.com/errata/RHSA-2021:0827
Comment 19 errata-xmlrpc 2021-03-15 14:53:05 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0830 https://access.redhat.com/errata/RHSA-2021:0830
Comment 20 errata-xmlrpc 2021-03-15 14:57:17 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:0831 https://access.redhat.com/errata/RHSA-2021:0831
Note You need to log in before you can comment on or make changes to this bug.