CVE-2021-22884

Опубликовано: 18 фев. 2021

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

A flaw was found in nodejs. A denial of service is possible when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS over the network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Отчет

Red Hat Enterprise Linux ships with localhost and localhost6 defined in /etc/hosts, and thus in general, would not be affected by this flaw, with some specific exceptions, such as :

/etc/hosts is disabled or has its default content (including localhost6) removed
the inspector is accessed using SSH tunneling from a remote computer that does not have localhost6 statically defined Red Hat Quay from version 3.4 consumes the nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because they don't use the debug option (--inspect) and nodejs is only used at build time [2]. [1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security [2] https://issues.redhat.com/browse/PROJQUAY-1409

Меры по смягчению последствий

Ensure that 'localhost6' is part of /etc/hosts. e.g.:

$ grep localhost6 /etc/hosts ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 9	nodejs	Not affected
Red Hat Quay 3	quay/quay-rhel8	Will not fix
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:0734	04.03.2021
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:0735	04.03.2021
Red Hat Enterprise Linux 8	nodejs	Fixed	RHSA-2021:0744	08.03.2021
Red Hat Enterprise Linux 8.1 Extended Update Support	nodejs	Fixed	RHSA-2021:0739	08.03.2021
Red Hat Enterprise Linux 8.1 Extended Update Support	nodejs	Fixed	RHSA-2021:0741	08.03.2021
Red Hat Enterprise Linux 8.2 Extended Update Support	nodejs	Fixed	RHSA-2021:0738	08.03.2021
Red Hat Enterprise Linux 8.2 Extended Update Support	nodejs	Fixed	RHSA-2021:0740	08.03.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-nodejs10-nodejs	Fixed	RHSA-2021:0827	15.03.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1932024nodejs: DNS rebinding in --inspect

EPSS

Процентиль: 72%

0.00741

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2021-22884

CVSS3: 7.5

ubuntu

больше 4 лет назад

CVE-2021-22884

CVSS3: 7.5

nvd

больше 4 лет назад

CVE-2021-22884

CVSS3: 7.5

debian

больше 4 лет назад

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ...

openSUSE-SU-2021:0389-1

suse-cvrf

больше 4 лет назад

Security update for nodejs8

SUSE-SU-2021:0686-1

suse-cvrf

больше 4 лет назад

Security update for nodejs8

EPSS

Процентиль: 72%

0.00741

Низкий

7.5 High

CVSS3