CVE-2021-22883

nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Node.js versiones anteriores a 10.24.0, 12.21.0, 14.16.0 y 15.10.0, es vulnerable a un ataque de denegación de servicio cuando son establecidos demasiados intentos de conexión con un "unknownProtocol". Esto conlleva a una filtración de descriptores de archivos. Si es configurado un límite de descriptor de archivo en el sistema, entonces el servidor no puede aceptar nuevas conexiones e impide que el proceso también se abra, por ejemplo, un archivo. Si no es configurado ningún límite de descriptor de archivo, esto conllevará a un uso excesivo de la memoria y causará al sistema quedarse sin memoria

A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening. If no file descriptor limit is configured, then this can lead to an excessive memory usage and cause the system to run out of memory. The highest threat from this vulnerability is to system availability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-02-28 CVE Published
2023-11-17 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-772: Missing Release of Resource after Effective Lifetime

CAPEC

References (11)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20210416-0001	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf	2023-11-07
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases	2023-11-07
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-22883	2021-03-15
https://bugzilla.redhat.com/show_bug.cgi?id=1932014	2021-03-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 10.0.0 < 10.24.0 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 < 10.24.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 12.0.0 < 12.21.0 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.21.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 14.0.0 < 14.16.0 Search vendor "Nodejs" for product "Node.js" and version " >= 14.0.0 < 14.16.0"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 15.0.0 < 15.10.0 Search vendor "Nodejs" for product "Node.js" and version " >= 15.0.0 < 15.10.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Netapp Search vendor "Netapp"		E-series Performance Analyzer Search vendor "Netapp" for product "E-series Performance Analyzer"				-		-		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				19.3.5 Search vendor "Oracle" for product "Graalvm" and version "19.3.5"		enterprise		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				20.3.1.2 Search vendor "Oracle" for product "Graalvm" and version "20.3.1.2"		enterprise		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				21.0.0.2 Search vendor "Oracle" for product "Graalvm" and version "21.0.0.2"		enterprise		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				< 9.2.6.0 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " < 9.2.6.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Cluster Search vendor "Oracle" for product "Mysql Cluster"				<= 8.0.25 Search vendor "Oracle" for product "Mysql Cluster" and version " <= 8.0.25"		-		Affected
Oracle Search vendor "Oracle"		Nosql Database Search vendor "Oracle" for product "Nosql Database"				< 20.3 Search vendor "Oracle" for product "Nosql Database" and version " < 20.3"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.59 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.59"		-		Affected
Siemens Search vendor "Siemens"		Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services"				< 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"		-		Affected