SB2021031601 - Red Hat Software Collections update for rh-nodejs10-nodejs 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021031601

SB2021031601 - Red Hat Software Collections update for rh-nodejs10-nodejs

Published: March 16, 2021

Security Bulletin ID SB2021031601
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2021-22883)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing multiple connection attempts with an 'unknownProtocol'. A remote attacker can initiate multiple connections with the server, which will trigger a leak of file descriptors and result in a denial of service (DoS) condition.


2) DNS rebinding (CVE-ID: CVE-2021-22884)

The vulnerability allows a remote attacker to perform DNS rebinding attack.

The vulnerability exists due to the application whitelist includes the “localhost6” name. When “localhost6” is not present in /etc/hosts, it is treated an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain.


Remediation

Install update from vendor's website.

References