CVE-2021-22883 Overview
Node.js before versions 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This vulnerability leads to a leak of file descriptors, which can have severe consequences depending on system configuration.
Critical Impact
If a file descriptor limit is configured on the system, the server becomes unable to accept new connections and the process is prevented from opening files. Without file descriptor limits, excessive memory usage can cause the system to run out of memory entirely.
Affected Products
- Node.js (versions before 10.24.0, 12.21.0, 14.16.0, and 15.10.0)
- Fedora Project Fedora (versions 32, 33, 34)
- NetApp E-Series Performance Analyzer
- Oracle GraalVM Enterprise (versions 19.3.5, 20.3.1.2, 21.0.0.2)
- Oracle JD Edwards EnterpriseOne Tools
- Oracle MySQL Cluster
- Oracle NoSQL Database
- Oracle PeopleSoft Enterprise PeopleTools (versions 8.58, 8.59)
- Siemens SINEC Infrastructure Network Services
Discovery Timeline
- 2021-03-03 - CVE CVE-2021-22883 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22883
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-772 (Missing Release of Resource after Effective Lifetime). The flaw exists in how Node.js handles TLS connections that specify an unknown protocol. When a client establishes a connection using an unrecognized protocol, Node.js fails to properly release the associated file descriptor after the connection attempt, causing a resource leak.
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can exploit this by repeatedly initiating TLS connections with invalid or unknown protocols, causing file descriptors to accumulate on the target server.
Root Cause
The root cause lies in Node.js's TLS implementation where file descriptors associated with connections using 'unknownProtocol' are not properly cleaned up. When a TLS handshake fails due to an unrecognized protocol, the socket's file descriptor should be released, but this cleanup step was missing in vulnerable versions.
Attack Vector
The attack can be performed remotely over the network by any unauthenticated attacker. The exploitation method involves establishing numerous TLS connections specifying protocols that Node.js does not recognize. Each failed connection leaks a file descriptor.
On systems with file descriptor limits (commonly 1024 or 65536 depending on configuration), the server eventually exhausts its available descriptors, causing:
- Inability to accept new legitimate connections
- Failure to open files, logs, or other system resources
- Application crashes or unresponsive behavior
On systems without strict file descriptor limits, the leaked descriptors consume memory, potentially leading to system-wide memory exhaustion and out-of-memory conditions. For more technical details, see the HackerOne Report #1043360.
Detection Methods for CVE-2021-22883
Indicators of Compromise
- Abnormally high number of file descriptors held by Node.js processes
- Rapid increase in memory consumption on Node.js servers without corresponding legitimate traffic
- Multiple failed TLS handshake attempts from single or distributed sources with unknown protocol errors
- Server logs indicating connection acceptance failures due to resource exhaustion
Detection Strategies
- Monitor file descriptor usage per process using system tools like lsof or /proc/[pid]/fd
- Implement alerting when file descriptor count exceeds baseline thresholds for Node.js processes
- Analyze TLS handshake failure logs for patterns indicating unknown protocol connection attempts
- Deploy network-level monitoring to detect unusual volumes of TLS connection attempts with immediate failures
Monitoring Recommendations
- Configure continuous monitoring of system resource metrics including file descriptor counts and memory usage
- Set up alerts for Node.js process resource consumption anomalies
- Implement rate limiting and connection throttling at the network edge to mitigate rapid connection attempts
- Use SentinelOne Singularity to monitor for unusual process behavior and resource consumption patterns
How to Mitigate CVE-2021-22883
Immediate Actions Required
- Upgrade Node.js to version 10.24.0, 12.21.0, 14.16.0, 15.10.0 or later immediately
- Verify all deployed applications are running patched Node.js versions
- Review and apply appropriate file descriptor limits to contain potential impact
- Implement network-level rate limiting for incoming TLS connections
Patch Information
Security patches are available from Node.js for all affected LTS and current release lines. Refer to the Node.js Security Blog February 2021 for official patch information. Additional vendor patches are available from Oracle Security Alert April 2021, Oracle Security Alert July 2021, and Oracle Security Alert October 2021. Siemens customers should consult the Siemens Security Advisory SSA-389290.
Workarounds
- Implement aggressive connection rate limiting at the firewall or load balancer level to reduce attack surface
- Configure system ulimits to prevent a single process from consuming all available file descriptors
- Deploy Web Application Firewalls (WAF) or reverse proxies that can filter malformed TLS connections before reaching Node.js
- Monitor and automatically restart Node.js processes that exceed resource thresholds as a temporary mitigation
# Check current file descriptor limits
ulimit -n
# Set process file descriptor limit (temporary)
ulimit -n 65536
# Monitor Node.js process file descriptors
lsof -p $(pgrep -f node) | wc -l
# Add persistent limits in /etc/security/limits.conf
# nodeuser soft nofile 65536
# nodeuser hard nofile 65536
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
