CVE-2021-46461 Overview
CVE-2021-46461 is an out-of-bounds array access vulnerability in njs through version 0.7.0, the JavaScript interpreter used in NGINX. The vulnerability exists in the njs_vmcode_typeof function within /src/njs_vmcode.c, where an attacker can trigger an out-of-bounds read by manipulating type checking operations. This memory corruption vulnerability can be exploited remotely without authentication, potentially leading to information disclosure, denial of service, or arbitrary code execution.
Critical Impact
This vulnerability allows unauthenticated remote attackers to exploit an out-of-bounds array access in the njs JavaScript interpreter, potentially compromising NGINX servers that utilize njs scripting functionality.
Affected Products
- nginx njs versions through 0.7.0
- NGINX deployments using njs scripting module
- NetApp products using affected njs versions (see NetApp Security Advisory NTAP-20220303-0007)
Discovery Timeline
- 2022-02-14 - CVE-2021-46461 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-46461
Vulnerability Analysis
The vulnerability resides in the njs_vmcode_typeof function in /src/njs_vmcode.c. The root cause is a missing element in the types array used for typeof operations. When the njs interpreter processes a DataView() type, the types array does not contain a corresponding entry, leading to an out-of-bounds array access. This occurs because the array indexing is based on the value's type field, and the absence of the DataView entry causes the access to exceed the bounds of the types array.
The vulnerability is network-accessible and requires no privileges or user interaction to exploit, making it particularly dangerous for internet-facing NGINX servers with njs enabled.
Root Cause
The types array in njs_vmcode_typeof was missing an entry for the DataView() type. When the JavaScript code uses typeof on a DataView object, the interpreter indexes into the types array using the type value, which exceeds the array bounds due to the missing element.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted JavaScript code to an NGINX server configured to use njs scripting. The malicious code would trigger a typeof operation on a DataView object, causing the out-of-bounds array access. This can be achieved remotely over the network without authentication.
// Security patch - Added missing DataView element in typeof table
// Source: https://github.com/nginx/njs/commit/d457c9545e7e71ebb5c0479eb16b9d33175855e2
&njs_string_object,
&njs_string_object,
&njs_string_object,
+ &njs_string_object,
};
vm->retval = *types[value->type];
The patch adds the missing &njs_string_object entry to the types array, ensuring all type values have corresponding entries and preventing the out-of-bounds access.
Detection Methods for CVE-2021-46461
Indicators of Compromise
- Unexpected crashes or segmentation faults in NGINX worker processes involving njs
- Anomalous JavaScript code submissions targeting DataView operations
- Memory access violations logged in system logs related to njs_vmcode.c
- Unusual error patterns in NGINX error logs referencing typeof operations
Detection Strategies
- Monitor NGINX error logs for unexpected crashes in njs-related modules
- Implement web application firewall (WAF) rules to detect suspicious JavaScript payloads targeting DataView objects
- Deploy SentinelOne Singularity to detect memory corruption exploitation attempts in real-time
- Audit NGINX configurations to identify servers with njs scripting enabled
Monitoring Recommendations
- Enable detailed logging for NGINX njs operations to capture potential exploitation attempts
- Configure SentinelOne agents to monitor NGINX processes for abnormal memory access patterns
- Set up alerts for NGINX worker process crashes that may indicate exploitation attempts
- Implement network monitoring to detect unusual traffic patterns to njs-enabled endpoints
How to Mitigate CVE-2021-46461
Immediate Actions Required
- Update nginx njs to version 0.7.1 or later immediately
- If immediate patching is not possible, disable njs scripting functionality temporarily
- Review NGINX configurations to identify all servers using njs
- Implement network segmentation to limit exposure of vulnerable NGINX servers
- Deploy SentinelOne Singularity for runtime protection against exploitation attempts
Patch Information
The vulnerability has been fixed in the official commit d457c9545e7e71ebb5c0479eb16b9d33175855e2. Organizations should update to njs version 0.7.1 or later, which includes this security fix. Additional details can be found in GitHub Issue #450.
Workarounds
- Disable njs scripting module in NGINX configurations if not required for business operations
- Implement strict input validation for any JavaScript code processed by njs
- Deploy a reverse proxy or WAF in front of vulnerable NGINX servers to filter malicious requests
- Restrict network access to njs-enabled NGINX servers to trusted sources only
# Disable njs module in NGINX configuration
# Remove or comment out load_module directives for njs
# Example nginx.conf modification:
# load_module modules/ngx_http_js_module.so; # Comment out this line
# load_module modules/ngx_stream_js_module.so; # Comment out this line
# Verify njs is disabled
nginx -V 2>&1 | grep -o 'njs' || echo "njs not compiled in"
# Restart NGINX to apply changes
systemctl restart nginx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
