2021-07-07-libuv upgrade – Out of bounds read (Medium) (CVE-2021-22918)
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2021-053 | CVE-2021-22918 | 07/07/2021 | low | v1 |
Vulnerability details
NodeJS published a security update on their TLS branch.
It fixes a vulnerability (CVE-2021-22918) on a component used for DNS resolution (libuv)
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Management Center | low | libuv upgrade - Out of bounds read |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 16/07/2021 | Initial release |
Stormshield Management Center |
CVSS v3.1 Overall Score: 2.1
|
Analysis |
Impacted version |
|
The attack scenario imply a malevolent authorised user on SMC can cause an information leak or a crash of the application when he ask for domain resolution. This can only be caused by asking for resolution of an FQDN object, which will make SMC unavaible until manual restart.
|
|
Workaround solution |
Solution |
|
Not using FQDN object |
The 3.0.1 update will fix this vulnerability. |
| Attack Vector | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability impact |
|---|---|---|---|---|---|---|---|
| Local | High | High | Required | Unchanged | None | None | Low |
| CVSS Base score: 1.8 | CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L) |
| Exploit Code Maturity | Remediation Level | Report Confidence |
|---|---|---|
| Unproven that exploit exists | Workaround | Unknown |
| CVSS Temporal score: 1.5 | CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L/E:U/RL:W/RC:U) |
| Confidentiality Requirement | Integrity Requirement | Availability Requirement |
|---|---|---|
| Medium | High | High |
| CVSS Environmental score: 2.1 | CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L/E:U/RL:W/RC:U/CR:M/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X) |
Acknowledgements