CVE-2021-22883
First published: Sat Feb 20 2021(Updated: )
A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening. If no file descriptor limit is configured, then this can lead to an excessive memory usage and cause the system to run out of memory. The highest threat from this vulnerability is to system availability.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 | |
| redhat/rh-nodejs10-nodejs | <0:10.24.0-1.el7 | 0:10.24.0-1.el7 |
| redhat/rh-nodejs14-nodejs | <0:14.16.0-1.el7 | 0:14.16.0-1.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.21.0-1.el7 | 0:12.21.0-1.el7 |
| ubuntu/nodejs | <10.19.0~dfsg-3ubuntu1.2 | 10.19.0~dfsg-3ubuntu1.2 |
| ubuntu/nodejs | <12.21.0~dfsg-1 | 12.21.0~dfsg-1 |
| Nodejs Node.js | >=10.0.0<10.24.0 | |
| Nodejs Node.js | >=12.0.0<12.21.0 | |
| Nodejs Node.js | >=14.0.0<14.16.0 | |
| Nodejs Node.js | >=15.0.0<15.10.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Netapp E-series Performance Analyzer | ||
| Oracle GraalVM | =19.3.5 | |
| Oracle GraalVM | =20.3.1.2 | |
| Oracle GraalVM | =21.0.0.2 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| Oracle MySQL Cluster | <=8.0.25 | |
| Oracle Nosql Database | <20.3 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| redhat/node | <15.10.0 | 15.10.0 |
| redhat/node | <14.16.0 | 14.16.0 |
| redhat/node | <12.21.0 | 12.21.0 |
| redhat/node | <10.24.0 | 10.24.0 |
| IBM Cloud Pak for Security (CP4S) | <=1.6.0.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.6.0.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.5.0.1 | |
| IBM Cloud Pak for Security (CP4S) | <=1.5.0.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.4.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hackerone.com/reports/1043360
- https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/
- https://security.netapp.com/advisory/ntap-20210416-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://launchpad.net/bugs/cve/CVE-2021-22883
- https://security-tracker.debian.org/tracker/CVE-2021-22883
- https://www.cve.org/CVERecord?id=CVE-2021-22883 https://nvd.nist.gov/vuln/detail/CVE-2021-22883
- https://bugzilla.redhat.com/show_bug.cgi?id=1932014
- https://access.redhat.com/errata/RHSA-2021:0734
- https://access.redhat.com/errata/RHSA-2021:0735
- https://access.redhat.com/errata/RHSA-2021:0744
- https://access.redhat.com/errata/RHSA-2021:0739
- https://access.redhat.com/errata/RHSA-2021:0741
- https://access.redhat.com/errata/RHSA-2021:0738
- https://access.redhat.com/errata/RHSA-2021:0740
- https://access.redhat.com/errata/RHSA-2021:0827
- https://access.redhat.com/errata/RHSA-2021:0830
- https://access.redhat.com/errata/RHSA-2021:0831
- https://access.redhat.com/security/cve/cve-2021-22883
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22883
- https://ubuntu.com/security/notices/USN-6418-1
- https://nvd.nist.gov/vuln/detail/CVE-2021-22883
- https://ubuntu.com/security/CVE-2021-22883
- https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/#update-23-feb-2021-security-releases-available
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932015
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932019
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932016
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932020
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932017
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932018
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932021
- https://github.com/nodejs/node/commit/4184806deed6b6c393dd8737aab1dc0c78a24c78
- https://github.com/nodejs/node/commit/afea10b09785996348fc198c8aa97eb10a05cec9
- https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b
- https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f
- https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
- https://exchange.xforce.ibmcloud.com/vulnerabilities/197190
- https://www.ibm.com/support/pages/node/6453115 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-22883?
CVE-2021-22883 is a vulnerability in Node.js that can lead to a denial of service due to a file descriptor leak.
How does CVE-2021-22883 affect Node.js?
CVE-2021-22883 affects Node.js by causing a potential denial of service when too many connection attempts with an 'unknownProtocol' are established and a file descriptor leak occurs.
What is the severity of CVE-2021-22883?
CVE-2021-22883 has a severity rating of high.
Which versions of Node.js are affected by CVE-2021-22883?
CVE-2021-22883 affects Node.js versions 15.10.0, 14.16.0, 12.21.0, and 10.24.0.
How can I fix CVE-2021-22883 in Node.js?
To fix CVE-2021-22883, update Node.js to version 15.10.0, 14.16.0, 12.21.0, or 10.24.0, depending on the version you are currently using.
- collector/launchpad-cve
- collector/security-tracker-debian
- collector/redhat-cve
- collector/usn-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/first-publish-date
- agent/last-modified-date
- agent/type
- agent/weakness
- agent/softwarecombine
- agent/severity
- agent/references
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22883
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/debian
- package-manager/redhat
- package-manager/ubuntu
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/15.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/netapp
- canonical/netapp e-series performance analyzer
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/19.3.5
- version/oracle graalvm/20.3.1.2
- version/oracle graalvm/21.0.0.2
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle mysql cluster
- version/oracle mysql cluster/8.0.25
- canonical/oracle nosql database
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/ibm
- canonical/ibm cloud pak for security (cp4s)
- version/ibm cloud pak for security (cp4s)/1.6.0.1
- version/ibm cloud pak for security (cp4s)/1.6.0.0
- version/ibm cloud pak for security (cp4s)/1.5.0.1
- version/ibm cloud pak for security (cp4s)/1.5.0.0
- version/ibm cloud pak for security (cp4s)/1.4.0.0