|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2021-22883: nodejs10,nodejs12,nodejs14,nodejs: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Gianluca Gabrielli <gianluca.gabrielli> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | stoyan.manolov |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2021-22883:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Upstream Patches: nodejs10: 3f2e9dc40c [0] nodejs12: 922ada7713 [1] nodejs14: afea10b097 [2] nodejs : 4184806dee [3] -- [0] https://github.com/nodejs/node/commit/3f2e9dc40c [1] https://github.com/nodejs/node/commit/922ada7713 [2] https://github.com/nodejs/node/commit/afea10b097 [3] https://github.com/nodejs/node/commit/4184806dee The reproducer, https://github.com/nodejs/node/commit/4184806dee#diff-b78ff2b8c6e10a9e52ffe42a47a58fc198f8fdd86316296a795be93c1590e318 doesn't trigger on nodejs8 so I would call it unaffected. Listening on event, > server.on('unknownProtocol', (socket) => { > console.log("unknwon protocol recived"); > socket.end("buy"); > }); is triggered, as expected, but the socket is closed which does not happen with nodejs10+. Verified manually on the test the sockets are closed by adding 10s exit delay to reproducer, setTimeout(() => console.log("done test"), 10000); and then you can use `ss` or similar or look in /proc/$PID/fd This is an autogenerated message for OBS integration: This bug (1182619) was mentioned in https://build.opensuse.org/request/show/874671 Factory / nodejs10 https://build.opensuse.org/request/show/874672 Factory / nodejs15 Fixes for all codestreams submitted. Reassigning to security-team for tracking purposes. SUSE-SU-2021:0650-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs14-14.16.0-6.9.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2021:0651-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1182333,1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs12-12.21.0-4.13.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2021:0648-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs14-14.16.0-5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2021:0649-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1182333,1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.21.0-1.29.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2021:0357-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1182333,1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs12-12.21.0-lp152.3.12.1 openSUSE-SU-2021:0356-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs14-14.16.0-lp152.8.1 SUSE-SU-2021:0673-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1182333,1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs10-10.24.0-1.36.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2021:0674-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1182333,1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840 JIRA References: Sources used: SUSE Manager Server 4.0 (src): nodejs10-10.24.0-1.33.2 SUSE Manager Retail Branch Server 4.0 (src): nodejs10-10.24.0-1.33.2 SUSE Manager Proxy 4.0 (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise Server for SAP 15-SP1 (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise Server for SAP 15 (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise Server 15-SP1-LTSS (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise Server 15-SP1-BCL (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise Server 15-LTSS (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): nodejs10-10.24.0-1.33.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): nodejs10-10.24.0-1.33.2 SUSE Enterprise Storage 6 (src): nodejs10-10.24.0-1.33.2 SUSE CaaS Platform 4.0 (src): nodejs10-10.24.0-1.33.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2021:0372-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1182333,1182619,1182620 CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs10-10.24.0-lp152.2.12.1 |
CVE-2021-22883 HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883) Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. Impacts: All versions of the 15.x, 14.x, 12.x and 10.x releases lines