CVE-2021-29442 – CVE-2021-29442 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-29442?

CVE-2021-29442 has a CVSS score of 8.6 (HIGH). CVE-2021-29442 is an authentication bypass vulnerability in Nacos that allows unauthenticated attackers to access the /derby endpoint, enabling database management operations including data deletion. This affects Nacos installations using embedded Derby database storage before version 1.4.1. Systems using external databases like MySQL are not affected.

📋 TL;DR

CVE-2021-29442 is an authentication bypass vulnerability in Nacos that allows unauthenticated attackers to access the /derby endpoint, enabling database management operations including data deletion. This affects Nacos installations using embedded Derby database storage before version 1.4.1. Systems using external databases like MySQL are not affected.

💻 Affected Systems

Products:

Alibaba Nacos

Versions: All versions before 1.4.1

Operating Systems: All platforms running Nacos

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using embedded Derby database storage. Systems using external databases (MySQL, etc.) are NOT vulnerable.

📦 What is this software?

Nacos by Alibaba

View all CVEs affecting Nacos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss through database wipe, service disruption, and potential compromise of configuration data leading to downstream system compromise.

🟠

Likely Case

Unauthorized database queries exposing sensitive configuration data, potential data manipulation, and service disruption.

🟢

If Mitigated

No impact if using external database storage or proper network segmentation prevents access to vulnerable endpoints.

🌐 Internet-Facing: HIGH - Unauthenticated remote attackers can directly exploit this vulnerability if the Nacos instance is internet-facing.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the Nacos instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to /nacos/v1/ops/derby endpoint with appropriate parameters can trigger database operations. Public exploit code exists in GitHub advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1 and later

Vendor Advisory: https://github.com/advisories/GHSA-36hp-jr8h-556f

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Nacos 1.4.1 or later from official repository. 3. Stop Nacos service. 4. Replace with patched version. 5. Restart Nacos service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Nacos management endpoints using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport 8848 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8848 -j DROP

Migrate to External Database

all

Switch from embedded Derby database to external MySQL database which is not vulnerable to this issue.

Update application.properties to use MySQL configuration
Migrate data using Nacos data migration tools

🧯 If You Can't Patch

Implement strict network segmentation to isolate Nacos instances from untrusted networks
Deploy web application firewall (WAF) rules to block access to /nacos/v1/ops/derby endpoint

🔍 How to Verify

Check if Vulnerable:

Check Nacos version with: curl -X GET 'http://nacos-server:8848/nacos/v1/console/server/state' | grep version. If version < 1.4.1 and using embedded storage, system is vulnerable.

Check Version:

curl -X GET 'http://nacos-server:8848/nacos/v1/console/server/state' | grep -o '"version":"[^"]*"'

Verify Fix Applied:

After patching, verify version is 1.4.1+ and test that unauthenticated requests to /nacos/v1/ops/derby return proper authentication error.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to /nacos/v1/ops/derby endpoint
Database operation logs from unauthenticated users
Unexpected database queries or modifications

Network Indicators:

HTTP requests to /nacos/v1/ops/derby without authentication headers
POST/DELETE requests to Nacos management endpoints from unauthorized sources

SIEM Query:

source="nacos.logs" AND (uri_path="/nacos/v1/ops/derby" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2021-29442

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-306

Published: April 27, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/advisories/GHSA-36hp-jr8h-556f Exploit,Third Party Advisory
https://github.com/alibaba/nacos/issues/4463 Exploit,Third Party Advisory
https://github.com/alibaba/nacos/pull/4517 Patch,Third Party Advisory
https://github.com/advisories/GHSA-36hp-jr8h-556f Exploit,Third Party Advisory
https://github.com/alibaba/nacos/issues/4463 Exploit,Third Party Advisory
https://github.com/alibaba/nacos/pull/4517 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29442, you might also want to check these: