Описание
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening. If no file descriptor limit is configured, then this can lead to an excessive memory usage and cause the system to run out of memory. The highest threat from this vulnerability is to system availability.
Отчет
Red Hat Quay from version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use nodejs as a HTTP server. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 9 | nodejs | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Will not fix | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0734 | 04.03.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0735 | 04.03.2021 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2021:0744 | 08.03.2021 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | nodejs | Fixed | RHSA-2021:0739 | 08.03.2021 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | nodejs | Fixed | RHSA-2021:0741 | 08.03.2021 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | nodejs | Fixed | RHSA-2021:0738 | 08.03.2021 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | nodejs | Fixed | RHSA-2021:0740 | 08.03.2021 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs10-nodejs | Fixed | RHSA-2021:0827 | 15.03.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ...
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
Уязвимость программной платформы Node.js, связанная с ошибкой механизма контроля расходуемых ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3