Bug 1182619 - (CVE-2021-22883) VUL-0: CVE-2021-22883: nodejs10,nodejs12,nodejs14,nodejs: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
(CVE-2021-22883)
VUL-0: CVE-2021-22883: nodejs10,nodejs12,nodejs14,nodejs: HTTP2 'unknownProto...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2021-22883:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-23 15:04 UTC by Gianluca Gabrielli
Modified: 2022-11-30 08:20 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-02-23 15:04:58 UTC
CVE-2021-22883

HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)

Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Impacts:

    All versions of the 15.x, 14.x, 12.x and 10.x releases lines
Comment 1 Gianluca Gabrielli 2021-02-23 15:09:54 UTC
Upstream Patches:

nodejs10: 3f2e9dc40c [0]
nodejs12: 922ada7713 [1]
nodejs14: afea10b097 [2]
nodejs  : 4184806dee [3]

--
[0] https://github.com/nodejs/node/commit/3f2e9dc40c
[1] https://github.com/nodejs/node/commit/922ada7713
[2] https://github.com/nodejs/node/commit/afea10b097
[3] https://github.com/nodejs/node/commit/4184806dee
Comment 2 Adam Majer 2021-02-23 16:54:25 UTC
The reproducer,

https://github.com/nodejs/node/commit/4184806dee#diff-b78ff2b8c6e10a9e52ffe42a47a58fc198f8fdd86316296a795be93c1590e318

doesn't trigger on nodejs8 so I would call it unaffected. Listening on event,

> server.on('unknownProtocol', (socket) => {
>   console.log("unknwon protocol recived");
>   socket.end("buy");
> });

is triggered, as expected, but the socket is closed which does not happen with nodejs10+. Verified manually on the test the sockets are closed by adding 10s exit delay to reproducer,

setTimeout(() => console.log("done test"), 10000);

and then you can use `ss` or similar or look in /proc/$PID/fd
Comment 3 OBSbugzilla Bot 2021-02-23 19:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (1182619) was mentioned in
https://build.opensuse.org/request/show/874671 Factory / nodejs10
https://build.opensuse.org/request/show/874672 Factory / nodejs15
Comment 5 Adam Majer 2021-02-24 09:35:30 UTC
Fixes for all codestreams submitted. Reassigning to security-team for tracking purposes.
Comment 6 Swamp Workflow Management 2021-02-26 20:18:04 UTC
SUSE-SU-2021:0650-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.16.0-6.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-02-26 20:21:38 UTC
SUSE-SU-2021:0651-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182333,1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.21.0-4.13.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-02-26 20:26:11 UTC
SUSE-SU-2021:0648-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.16.0-5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-02-26 20:27:27 UTC
SUSE-SU-2021:0649-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182333,1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.21.0-1.29.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-02-28 02:17:45 UTC
openSUSE-SU-2021:0357-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182333,1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.21.0-lp152.3.12.1
Comment 11 Swamp Workflow Management 2021-02-28 02:18:47 UTC
openSUSE-SU-2021:0356-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.16.0-lp152.8.1
Comment 12 Swamp Workflow Management 2021-03-02 14:19:52 UTC
SUSE-SU-2021:0673-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182333,1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.24.0-1.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-03-02 14:21:21 UTC
SUSE-SU-2021:0674-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182333,1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    nodejs10-10.24.0-1.33.2
SUSE Manager Retail Branch Server 4.0 (src):    nodejs10-10.24.0-1.33.2
SUSE Manager Proxy 4.0 (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.0-1.33.2
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.0-1.33.2
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.0-1.33.2
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.0-1.33.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-03-03 05:18:03 UTC
openSUSE-SU-2021:0372-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182333,1182619,1182620
CVE References: CVE-2021-22883,CVE-2021-22884,CVE-2021-23840
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs10-10.24.0-lp152.2.12.1