GHSA-GWJ5-3VFQ-Q992

Vulnerability from github – Published: 2021-05-21 16:22 – Updated: 2021-05-20 21:07
VLAI?
Summary
Import loops in account imports, nats-server DoS
Details

(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-28466.txt)

Problem Description

An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.

This issue was fixed publicly in https://github.com/nats-io/nats-server/pull/1731 in November 2020.

The need to call this out as a security issue was highlighted by snyk.io and we are grateful for their assistance in doing so.

Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected. See below for an important caveat if running such a service.

Affected versions

NATS Server

  • Version 2 prior to 2.2.0
  • 2.0.0 through and including 2.1.9 are vulnerable.
  • fixed with nats-io/nats-server PR 1731, commit 2e3c226729

Impact

The nats-server could be killed, after consuming resources.

Workaround

The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.

Solution

Upgrade the nats-server.

Caveat on NATS with untrusted users

Running a NATS service which is exposed to untrusted users presents a heightened risk.

Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.

Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.

Those who are running such services are encouraged to build regularly from git.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nats-io/nats-server/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T21:07:16Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "(This advisory is canonically \u003chttps://advisories.nats.io/CVE/CVE-2020-28466.txt\u003e)\n\n## Problem Description\n\nAn export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.\n\nThis issue was fixed publicly in \u003chttps://github.com/nats-io/nats-server/pull/1731\u003e in November 2020.\n\nThe need to call this out as a security issue was highlighted by `snyk.io` and we are grateful for their assistance in doing so.\n\nOrganizations which run a NATS service providing access to accounts run by untrusted third parties are affected.\nSee below for an important caveat if running such a service.\n\n\n## Affected versions\n\n#### NATS Server\n\n * Version 2 prior to 2.2.0\n   + 2.0.0 through and including 2.1.9 are vulnerable.\n * fixed with nats-io/nats-server PR 1731, commit 2e3c226729\n\n\n## Impact\n\nThe nats-server could be killed, after consuming resources.\n\n\n## Workaround\n\nThe import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.\n\n\n## Solution\n\nUpgrade the nats-server.\n\n\n## Caveat on NATS with untrusted users\n\nRunning a NATS service which is exposed to untrusted users presents a heightened risk.\n\nAny remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.\n\nFixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.\n\nThose who are running such services are encouraged to build regularly from git.",
  "id": "GHSA-gwj5-3vfq-q992",
  "modified": "2021-05-20T21:07:16Z",
  "published": "2021-05-21T16:22:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-gwj5-3vfq-q992"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Import loops in account imports, nats-server DoS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.