CVE-2021-22931
📋 TL;DR
Node.js DNS library vulnerability allows remote code execution, XSS, and application crashes due to improper validation of DNS responses. Attackers can inject malicious hostnames leading to domain hijacking and code injection. Affects applications using Node.js dns module before patched versions.
💻 Affected Systems
- Node.js
📦 What is this software?
Graalvm by Oracle
Graalvm by Oracle
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data theft, and lateral movement within network.
Likely Case
Application crashes causing denial of service, or XSS attacks leading to session hijacking and data exfiltration.
If Mitigated
Limited impact with proper input validation and network segmentation, potentially only causing application instability.
🎯 Exploit Status
Exploitation requires DNS response manipulation, which can be achieved through DNS poisoning or malicious DNS servers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 16.6.0, 14.17.4, or 12.22.4
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Restart Required: Yes
Instructions:
1. Identify Node.js version with 'node --version'. 2. Upgrade to patched version using package manager (npm install -g node@16.6.0 or appropriate version). 3. Restart all Node.js applications and services.
🔧 Temporary Workarounds
DNS Response Validation
allImplement custom DNS response validation before processing hostnames
// JavaScript example: validate hostname before use
const dns = require('dns');
function safeLookup(hostname) {
if (!/^[a-zA-Z0-9.-]+$/.test(hostname)) {
throw new Error('Invalid hostname');
}
return dns.lookup(hostname);
}
🧯 If You Can't Patch
- Implement network-level DNS filtering to block malicious DNS responses
- Use application-level input validation for all DNS-derived data
🔍 How to Verify
Check if Vulnerable:
Run 'node --version' and check if version is below 16.6.0, 14.17.4, or 12.22.4Check Version:
node --versionVerify Fix Applied:
After upgrade, run 'node --version' to confirm version is 16.6.0, 14.17.4, 12.22.4 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual DNS query patterns
- Application crashes with DNS-related errors
- Unexpected hostname values in application logs
Network Indicators:
- Suspicious DNS responses with special characters
- DNS traffic from unexpected sources
SIEM Query:
source="dns" AND (query="*[;|&<>]*" OR response="*[;|&<>]*")🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1178337
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
- https://security.gentoo.org/glsa/202401-02
- https://security.netapp.com/advisory/ntap-20210923-0001/
- https://security.netapp.com/advisory/ntap-20211022-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1178337
- https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
- https://security.gentoo.org/glsa/202401-02
- https://security.netapp.com/advisory/ntap-20210923-0001/
- https://security.netapp.com/advisory/ntap-20211022-0003/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
