CVE-2021-22883 — HIGH (7.5)

Q: How severe is CVE-2021-22883?

CVE-2021-22883 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-22883?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora, Netapp E-Series Performance Analyzer, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools.

Vulnerability Description

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 10.0.0, < 10.24.0
Fedoraproject	Fedora	32
Netapp	E-Series Performance Analyzer	-
Oracle	Graalvm	19.3.5
Oracle	Jd Edwards Enterpriseone Tools	< 9.2.6.0
Oracle	Mysql Cluster	<= 8.0.25
Oracle	Nosql Database	< 20.3
Oracle	Peoplesoft Enterprise Peopletools	8.58
Siemens	Sinec Infrastructure Network Services	< 1.0.1.1

Related Weaknesses (CWE)

CWE-772 CWE-400

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://hackerone.com/reports/1043360Permissions RequiredThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/PatchRelease NotesVendor Advisory
https://security.netapp.com/advisory/ntap-20210416-0001/Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://hackerone.com/reports/1043360Permissions RequiredThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2021-22883?

CVE-2021-22883 is a vulnerability with a CVSS score of 7.5 (HIGH). Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of f...

How severe is CVE-2021-22883?

CVE-2021-22883 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22883?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Fedoraproject Fedora, Netapp E-Series Performance Analyzer, Oracle Graalvm, Oracle Jd Edwards Enterpriseone Tools.