CVE-2021-29442 Overview
CVE-2021-29442 is an authentication bypass vulnerability in Alibaba Nacos, a platform designed for dynamic service discovery, configuration, and service management. In Nacos versions prior to 1.4.1, the ConfigOpsController allows users to perform management operations including querying the database or completely wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint lacks authentication protection and can be openly accessed by unauthenticated users.
Critical Impact
Unauthenticated attackers can access sensitive configuration data stored in the embedded Derby database, potentially exposing service configurations, credentials, and other sensitive information managed by Nacos.
Affected Products
- Alibaba Nacos versions prior to 1.4.1
- Nacos installations using embedded Derby database storage
- Not affected: Nacos installations using external storage (e.g., MySQL)
Discovery Timeline
- 2021-04-27 - CVE-2021-29442 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29442
Vulnerability Analysis
This vulnerability is classified as CWE-306: Missing Authentication for Critical Function. The core issue lies in inconsistent security annotations within the ConfigOpsController class. While one endpoint (/data/remove) correctly implements authentication via the @Secured annotation, the /derby endpoint was left unprotected, creating an authentication bypass that allows any network-accessible attacker to interact with the embedded database.
The vulnerability only affects Nacos installations using the embedded Derby database for storage. Organizations using external database solutions such as MySQL are not impacted by this specific vulnerability, as the Derby-specific endpoints would not be functional in those configurations.
Root Cause
The root cause is a missing authentication annotation on the /derby endpoint in the ConfigOpsController. This represents an incomplete security implementation where developers protected some sensitive endpoints but inadvertently left others exposed. The @Secured annotation that should have been applied to restrict access to authenticated users was not present on the vulnerable endpoint.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to the Nacos service can directly send requests to the unprotected /derby endpoint to execute database operations. This could allow the attacker to:
- Query the embedded Derby database to extract sensitive configuration data
- Access service discovery information and metadata
- Potentially retrieve stored credentials or API keys managed through Nacos
- Enumerate all services and their configurations registered with Nacos
The vulnerability is exploitable via simple HTTP requests to the vulnerable endpoint, making it trivial for attackers to exploit once they identify an affected Nacos instance.
Detection Methods for CVE-2021-29442
Indicators of Compromise
- Unexpected HTTP requests to /nacos/v1/cs/ops/derby endpoints from external or unauthorized IP addresses
- Anomalous database query patterns in Nacos logs indicating enumeration attempts
- Access logs showing repeated requests to the /derby endpoint without corresponding authentication events
- Unusual data access patterns indicating bulk extraction of configuration data
Detection Strategies
- Monitor web server access logs for requests to /nacos/v1/cs/ops/derby from unauthenticated sources
- Implement network-level monitoring for connections to Nacos management ports from untrusted networks
- Deploy web application firewall (WAF) rules to detect and block unauthorized access attempts to sensitive Nacos endpoints
- Review Nacos audit logs for configuration queries that don't correspond to legitimate administrative activity
Monitoring Recommendations
- Enable detailed access logging on Nacos instances to capture all endpoint access attempts
- Configure alerting for any access to Derby database endpoints from non-administrative IP ranges
- Implement network segmentation monitoring to detect unauthorized access attempts to Nacos management interfaces
- Establish baseline behavior for Nacos API access patterns to identify anomalous activity
How to Mitigate CVE-2021-29442
Immediate Actions Required
- Upgrade Alibaba Nacos to version 1.4.1 or later immediately
- Restrict network access to Nacos management interfaces using firewall rules until patching is complete
- Migrate from embedded Derby storage to external MySQL database if feasible, as this configuration is not affected
- Audit access logs for any evidence of exploitation prior to patching
Patch Information
The vulnerability has been addressed in Nacos version 1.4.1. The fix adds proper authentication controls to the previously unprotected /derby endpoint. Organizations should upgrade to version 1.4.1 or later to remediate this vulnerability. Technical details of the fix are available in the GitHub Pull Request #4517.
Additional information can be found in the GitHub Security Advisory and the GitHub Issue Discussion.
Workarounds
- Implement network-level access controls to restrict access to Nacos management endpoints to trusted IP addresses only
- Deploy a reverse proxy with authentication in front of Nacos to add an additional authentication layer
- Consider migrating to external MySQL storage which is not affected by this specific vulnerability
- Use firewall rules to block external access to the /nacos/v1/cs/ops/derby endpoint until patching is completed
# Example firewall rule to restrict Nacos access (iptables)
# Allow access only from trusted admin network
iptables -A INPUT -p tcp --dport 8848 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8848 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
