CVE-2021-22883
First published: Sat Feb 20 2021(Updated: )
Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-nodejs10-nodejs | <0:10.24.0-1.el7 | 0:10.24.0-1.el7 |
| redhat/rh-nodejs14-nodejs | <0:14.16.0-1.el7 | 0:14.16.0-1.el7 |
| redhat/rh-nodejs12-nodejs | <0:12.21.0-1.el7 | 0:12.21.0-1.el7 |
| ubuntu/nodejs | <10.19.0~dfsg-3ubuntu1.2 | 10.19.0~dfsg-3ubuntu1.2 |
| ubuntu/nodejs | <12.21.0~dfsg-1 | 12.21.0~dfsg-1 |
| Nodejs Node.js | >=10.0.0<10.24.0 | |
| Nodejs Node.js | >=12.0.0<12.21.0 | |
| Nodejs Node.js | >=14.0.0<14.16.0 | |
| Nodejs Node.js | >=15.0.0<15.10.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Netapp E-series Performance Analyzer | ||
| Oracle GraalVM | =19.3.5 | |
| Oracle GraalVM | =20.3.1.2 | |
| Oracle GraalVM | =21.0.0.2 | |
| Oracle Jd Edwards Enterpriseone Tools | <9.2.6.0 | |
| Oracle MySQL Cluster | <=8.0.25 | |
| Oracle Nosql Database | <20.3 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Siemens Sinec Infrastructure Network Services | <1.0.1.1 | |
| debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/197190
- https://www.ibm.com/support/pages/node/6570957 (Advisory)
- https://hackerone.com/reports/1043360
- https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/
- https://security.netapp.com/advisory/ntap-20210416-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://launchpad.net/bugs/cve/CVE-2021-22883
- https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/#update-23-feb-2021-security-releases-available
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932015
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932019
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932016
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932020
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932017
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932018
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1932021
- https://github.com/nodejs/node/commit/4184806deed6b6c393dd8737aab1dc0c78a24c78
- https://github.com/nodejs/node/commit/afea10b09785996348fc198c8aa97eb10a05cec9
- https://github.com/nodejs/node/commit/922ada77132c1b0b69c9a146822d762b2f9b912b
- https://github.com/nodejs/node/commit/3f2e9dc40c9964965b075c00719829f9bb17e65f
- https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
- https://access.redhat.com/errata/RHSA-2021:0734
- https://access.redhat.com/errata/RHSA-2021:0735
- https://access.redhat.com/security/cve/cve-2021-22883
- https://access.redhat.com/errata/RHSA-2021:0739
- https://access.redhat.com/errata/RHSA-2021:0741
- https://access.redhat.com/errata/RHSA-2021:0738
- https://access.redhat.com/errata/RHSA-2021:0740
- https://access.redhat.com/errata/RHSA-2021:0744
- https://access.redhat.com/errata/RHSA-2021:0827
- https://access.redhat.com/errata/RHSA-2021:0830
- https://access.redhat.com/errata/RHSA-2021:0831
- https://bugzilla.redhat.com/show_bug.cgi?id=1932014
- https://www.cve.org/CVERecord?id=CVE-2021-22883 https://nvd.nist.gov/vuln/detail/CVE-2021-22883
- https://security-tracker.debian.org/tracker/CVE-2021-22883
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22883
- https://ubuntu.com/security/notices/USN-6418-1
- https://nvd.nist.gov/vuln/detail/CVE-2021-22883
- https://ubuntu.com/security/CVE-2021-22883
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-22883?
CVE-2021-22883 is a vulnerability in Node.js that can lead to a denial of service due to a file descriptor leak.
How does CVE-2021-22883 affect Node.js?
CVE-2021-22883 affects Node.js by causing a potential denial of service when too many connection attempts with an 'unknownProtocol' are established and a file descriptor leak occurs.
What is the severity of CVE-2021-22883?
CVE-2021-22883 has a severity rating of high.
Which versions of Node.js are affected by CVE-2021-22883?
CVE-2021-22883 affects Node.js versions 15.10.0, 14.16.0, 12.21.0, and 10.24.0.
How can I fix CVE-2021-22883 in Node.js?
To fix CVE-2021-22883, update Node.js to version 15.10.0, 14.16.0, 12.21.0, or 10.24.0, depending on the version you are currently using.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- collector/launchpad-cve
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22883
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- collector/usn-cve
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/10.0.0
- version/nodejs node.js/12.0.0
- version/nodejs node.js/14.0.0
- version/nodejs node.js/15.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/netapp
- canonical/netapp e-series performance analyzer
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/19.3.5
- version/oracle graalvm/20.3.1.2
- version/oracle graalvm/21.0.0.2
- canonical/oracle jd edwards enterpriseone tools
- canonical/oracle mysql cluster
- version/oracle mysql cluster/8.0.25
- canonical/oracle nosql database
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu