Bug 1189368 – VUL-0: CVE-2021-22940: nodejs10,nodejs12,nodejs14,nodejs: Use after free on close http2 on stream canceling

Bug 1189368 - (CVE-2021-22940) VUL-0: CVE-2021-22940: nodejs10,nodejs12,nodejs14,nodejs: Use after free on close http2 on stream canceling

(CVE-2021-22940)
Summary:	VUL-0: CVE-2021-22940: nodejs10,nodejs12,nodejs14,nodejs: Use after free on c...

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/306926/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-22940:9.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-08-12 06:41 UTC by Robert Frohl
Modified:	2022-08-19 19:22 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-08-12 06:41:03 UTC

Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. The issue is a follow on to CVE-2021-22930 as the issue was not completely resolved in the fix for CVE-2021-22930.

You can read more about it in: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940

Impacts:

    All versions of the 16.x, 14.x, and 12.x releases lines

Thank you to Eran Levin (exx8) for reporting the original vulnerability and those who helped identify the remaining issues.

https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

Comment 1 OBSbugzilla Bot 2021-08-12 20:30:11 UTC

This is an autogenerated message for OBS integration:
This bug (1189368) was mentioned in
https://build.opensuse.org/request/show/911861 Factory / nodejs16
https://build.opensuse.org/request/show/911862 Factory / nodejs14

Comment 4 OBSbugzilla Bot 2021-08-19 16:00:12 UTC

This is an autogenerated message for OBS integration:
This bug (1189368) was mentioned in
https://build.opensuse.org/request/show/913180 Factory / nodejs16

Comment 5 Swamp Workflow Management 2021-08-24 16:18:43 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2824-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.5-1.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2021-08-30 19:22:26 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2875-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.5-4.19.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.5-4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2021-08-30 19:36:39 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:2875-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.5-4.19.1

Comment 8 Swamp Workflow Management 2021-08-31 10:20:25 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:1214-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.5-lp152.3.18.1

Comment 9 Swamp Workflow Management 2021-09-22 16:21:46 UTC

SUSE-SU-2021:3184-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.17.5-6.15.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2021-09-23 19:17:20 UTC

SUSE-SU-2021:3211-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.17.5-5.15.5
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.17.5-5.15.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2021-09-23 19:30:59 UTC

openSUSE-SU-2021:3211-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.17.5-5.15.5

Comment 12 Swamp Workflow Management 2021-09-28 10:18:21 UTC

openSUSE-SU-2021:1313-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1188881,1188917,1189368,1189369,1189370
CVE References: CVE-2021-22930,CVE-2021-22931,CVE-2021-22939,CVE-2021-22940,CVE-2021-3672
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.17.5-lp152.14.1

Comment 14 Thomas Leroy 2022-02-17 13:44:44 UTC

@Adam, is backporting this one to nodejs10 still possible?

Comment 20 Swamp Workflow Management 2022-08-19 19:22:04 UTC

SUSE-SU-2022:2855-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1188917,1189368,1191601,1191602,1201325,1201326,1201327,1201328
CVE References: CVE-2021-22930,CVE-2021-22940,CVE-2021-22959,CVE-2021-22960,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.47.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Server 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Proxy 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 7 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-150000.1.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.