CVE-2021-22883

Description

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

How to fix CVE-2021-22883

To remediate CVE-2021-22883, upgrade the affected package to a fixed version below.

• —upgrade to 12.21.0-r0 or later
• —upgrade to 10.24.0 or later
• —upgrade to 10.24.0 or later
• —upgrade to 12.21.0~dfsg-1 or later
• —upgrade to 10.24.0~dfsg-1~deb10u1 or later

Is CVE-2021-22883 being exploited?

Likely — EPSS is 89.4%, placing CVE-2021-22883 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (5)

• from 0, < 12.21.0-r0
• >= 10.0.0, < 10.24.0, >= 12.0.0, < 12.21.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.10.0
• >= 10.0.0, < 10.24.0, >= 12.0.0, < 12.21.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.10.0
• from 0, < 12.21.0~dfsg-1
• from 0, < 10.24.0~dfsg-1~deb10u1

CVSS scores

References (13)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-22883
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-22883
• WEBcert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• WEBhackerone.com/reports/1043360