Vulnerability CVE-2021-22883 - CERT Civis.Net

Vulnerability Name:

CVE-2021-22883 (CCN-197190)

Assigned:

2021-02-20

Published:

2021-02-20

Updated:

2022-10-24

Summary:

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-772
CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-22883

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: XF
Type: UNKNOWN
nodejs-cve202122883-dos(197190)

Source: MISC
Type: Permissions Required, Third Party Advisory
https://hackerone.com/reports/1043360

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-a760169c3c

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-f6bd75e9d4

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-6aaba80ba2

Source: CCN
Type: Node.js Blog, 2021-02-23
February 2021 Security Releases

Source: MISC
Type: Patch, Release Notes, Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210416-0001/

Source: CCN
Type: IBM Security Bulletin 6428997 (SDK for Node.js for Bluemix)
Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud

Source: CCN
Type: IBM Security Bulletin 6436083 (Business Automation Workflow)
Multiple vulnerabilities in node.js may affect configuration editor used in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-1971, CVE-2020-8265, CVE-2020-8287

Source: CCN
Type: IBM Security Bulletin 6437245 (InfoSphere Information Server)
Multiple vulnerabilities in Node.js affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6438719 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by multiple Node.js vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6448842 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime

Source: CCN
Type: IBM Security Bulletin 6450779 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6453063 (Cloud Automation Manager)
A security vulnerability in Node.js affects IBM Cloud Automation Manager

Source: CCN
Type: IBM Security Bulletin 6453079 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js affects IBM Cloud Pak for Multicloud Management Managed Service

Source: CCN
Type: IBM Security Bulletin 6453115 (Cloud Pak for Security)
Cloud Pak for Security contains security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6454803 (Spectrum Control)
Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6463275 (Event Streams)
IBM Event Streams is potentially affected by multiple node vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6463977 (Integration Bus)
IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-22884, CVE-2021-22883)

Source: CCN
Type: IBM Security Bulletin 6466599 (Spectrum Protect Plus)
Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6473525 (API Connect)
IBM API Connect is impacted by vulnerabilities in node.js and OpenSSL (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883)

Source: CCN
Type: IBM Security Bulletin 6476624 (WA for ICP)
Potential vulnerability with Node.js

Source: CCN
Type: IBM Security Bulletin 6486343 (Cloud Private)
IBM Cloud Private is vulnerable to OpenSSL and Node.js vulnerabilities (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883)

Source: CCN
Type: IBM Security Bulletin 6510192 (API Connect)
IBM API Connect is impacted by a vulnerabilities in Node.js (CVE-2021-22884, CVE-2021-22883)

Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6591203 (Netcool Agile Service Manager)
Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:* (Version >= 15.0.0 and < 15.10.0)

OR cpe:/a:nodejs:node.js:*:*:*:*:lts:*:*:* (Version >= 14.0.0 and < 14.16.0)

OR cpe:/a:nodejs:node.js:*:*:*:*:lts:*:*:* (Version >= 12.0.0 and < 12.21.0)

OR cpe:/a:nodejs:node.js:*:*:*:*:lts:*:*:* (Version >= 10.0.0 and < 10.24.0)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

OR cpe:/a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*

OR cpe:/a:oracle:nosql_database:*:*:*:*:*:*:*:* (Version < 20.3)

OR cpe:/a:oracle:mysql_cluster:*:*:*:*:*:*:*:* (Version <= 8.0.25)

OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version < 9.2.6.0)

Configuration 5:

cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:nodejs:node.js:10:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:12:*:*:*:*:*:*:*

OR cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:business_process_manager:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:2018.4.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:18.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:19.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:2019.4.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.4.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:10.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_transformation_advisor:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:2018.4.1.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:event_streams:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.8.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8179	P	Security update for terraform-provider-null (Important) (in QA)	2023-06-20
oval:org.opensuse.security:def:8177	P	Security update for terraform-provider-aws (Important) (in QA)	2023-06-20
oval:org.opensuse.security:def:8178	P	Security update for terraform-provider-helm (Important) (in QA)	2023-06-20
oval:org.opensuse.security:def:641	P	Security update for nodejs12 (Moderate) (in QA)	2022-09-30
oval:org.opensuse.security:def:642	P	Security update for nodejs10 (Moderate) (in QA)	2022-09-30
oval:org.opensuse.security:def:93316	P	(Important)	2022-07-13
oval:org.opensuse.security:def:99206	P	(Critical)	2022-02-08
oval:org.opensuse.security:def:93163	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:113037	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106478	P	nodejs14-14.17.5-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:99403	P	(Important)	2021-08-14
oval:org.opensuse.security:def:101418	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2328	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63416	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63417	P	nodejs14-14.16.0-5.9.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101417	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2327	P	nodejs12-12.21.0-4.13.2 on GA media (Moderate)	2021-08-10
oval:com.redhat.rhsa:def:20210744	P	RHSA-2021:0744: nodejs:14 security and bug fix update (Important)	2021-03-08
oval:com.redhat.rhsa:def:20210734	P	RHSA-2021:0734: nodejs:12 security update (Important)	2021-03-04
oval:com.redhat.rhsa:def:20210735	P	RHSA-2021:0735: nodejs:10 security update (Important)	2021-03-04
oval:org.opensuse.security:def:111245	P	Security update for nodejs10 (Important)	2021-03-03
oval:org.opensuse.security:def:96144	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:92652	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:69793	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:49463	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:9458	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:99602	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:92061	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:10403	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:8709	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:99011	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:92851	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:69992	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:9653	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:99801	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:92256	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:97254	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:69268	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:118596	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:102834	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:8900	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:20992	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:93010	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:70352	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:9852	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:100113	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:109500	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:92453	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:69598	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:9095	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:70543	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:10212	P	Security update for nodejs10 (Important)	2021-03-02
oval:org.opensuse.security:def:111240	P	Security update for nodejs14 (Important)	2021-02-27
oval:org.opensuse.security:def:111241	P	Security update for nodejs12 (Important)	2021-02-27
oval:org.opensuse.security:def:20990	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:109498	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:97246	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:69267	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:118595	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:102833	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:20991	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:96142	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:109499	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:49461	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:96143	P	Security update for nodejs12 (Important)	2021-02-26
oval:org.opensuse.security:def:49462	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:97245	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:69266	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:118594	P	Security update for nodejs14 (Important)	2021-02-26
oval:org.opensuse.security:def:102832	P	Security update for nodejs14 (Important)	2021-02-26