GHSA-6H3M-36W8-HV68
Vulnerability from github – Published: 2022-03-10 22:07 – Updated: 2022-03-24 00:21(This document is canonically: https://advisories.nats.io/CVE/CVE-2022-26652.txt)
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
JetStream is the optional RAFT-based resilient persistent feature of NATS.
Problem Description
The JetStream streams can be backed up and restored via NATS. The backup format is a tar archive file. Inadequate checks on the filenames within the archive file permit a so-called "Zip Slip" attack in the stream restore.
NATS nats-server through 2022-03-09 (fixed in release 2.7.4) did not correctly sanitize elements of the archive file, thus a user of NATS could cause the NATS server to write arbitrary content to an attacker-controlled filename.
Affected versions
NATS Server: * 2.2.0 up to and including 2.7.3. + Introduced with JetStream Restore functionality * Fixed with nats-io/nats-server: 2.7.4 * Docker image: nats https://hub.docker.com/_/nats * NB users of OS package files from our releases: a change in goreleaser defaults, discovered late in the release process, moved the install directory from /usr/local/bin to /usr/bin; we are evaluating the correct solution for subsequent releases, but not recutting this release.
NATS Streaming Server * 0.15.0 up to and including 0.24.2 * Fixed with nats-io/nats-streaming-server: 0.24.3 * Embeds a nats-server, but this server is the old approach which JetStream replaces, so unlikely (but not impossible) to be configured with JS support
Workarounds
- Disable JetStream for untrusted users.
- If only one NATS account uses JetStream, such that cross-user attacks are not an issue, and any user in that account with access to the JetStream API is fully trusted anyway, then appropriate sandboxing techniques will prevent exploit.
- Eg, with systemd, the supplied util/nats-server-hardened.service example configuration demonstrates that NATS runs fine as an unprivileged user under ProtectSystem=strict and PrivateTmp=true restrictions; by only opening a ReadWritePaths hole for the JetStream storage area, the impact of this vulnerability is limited.
Solution
Upgrade the NATS server to at least 2.7.4.
We fully support the util/nats-server-hardened.service configuration for running a NATS server and encourage this approach.
Credits
This issue was reported (on 2022-03-07) to the NATS Maintainers by
Yiming Xiang, TIANJI LAB of NSFOCUS.
Thank you / 谢谢你!
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-streaming-server"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.24.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-26652"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-10T22:07:30Z",
"nvd_published_at": "2022-03-10T17:47:00Z",
"severity": "HIGH"
},
"details": "(This document is canonically: \u003chttps://advisories.nats.io/CVE/CVE-2022-26652.txt\u003e)\n\n## Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nJetStream is the optional RAFT-based resilient persistent feature of NATS.\n\n\n## Problem Description\n\nThe JetStream streams can be backed up and restored via NATS. The backup format is a tar archive file. Inadequate checks on the filenames within the archive file permit a so-called \"Zip Slip\" attack in the stream restore.\n\nNATS nats-server through 2022-03-09 (fixed in release 2.7.4) did not correctly sanitize elements of the archive file, thus a user of NATS\ncould cause the NATS server to write arbitrary content to an attacker-controlled filename.\n\n\n## Affected versions\n\nNATS Server:\n * 2.2.0 up to and including 2.7.3.\n + Introduced with JetStream Restore functionality\n * Fixed with nats-io/nats-server: 2.7.4\n * Docker image: nats \u003chttps://hub.docker.com/_/nats\u003e\n * NB users of OS package files from our releases: a change in goreleaser defaults, discovered late in the release process, moved the install directory from /usr/local/bin to /usr/bin; we are evaluating the correct solution for subsequent releases, but not recutting this release.\n\nNATS Streaming Server\n * 0.15.0 up to and including 0.24.2\n * Fixed with nats-io/nats-streaming-server: 0.24.3\n * Embeds a nats-server, but this server is the old approach which JetStream replaces, so unlikely (but not impossible) to be\n configured with JS support\n\n\n## Workarounds\n\n * Disable JetStream for untrusted users.\n * If only one NATS account uses JetStream, such that cross-user attacks are not an issue, and any user in that account with access to the JetStream API is fully trusted anyway, then appropriate sandboxing techniques will prevent exploit.\n + Eg, with systemd, the supplied util/nats-server-hardened.service example configuration demonstrates that NATS runs fine as an unprivileged user under ProtectSystem=strict and PrivateTmp=true restrictions; by only opening a ReadWritePaths hole for the JetStream storage area, the impact of this vulnerability is limited.\n\n\n## Solution\n\nUpgrade the NATS server to at least 2.7.4.\n\nWe fully support the util/nats-server-hardened.service configuration for running a NATS server and encourage this approach.\n\n\n## Credits\n\nThis issue was reported (on 2022-03-07) to the NATS Maintainers by\nYiming Xiang, TIANJI LAB of NSFOCUS. \nThank you / \u8c22\u8c22\u4f60\uff01\n",
"id": "GHSA-6h3m-36w8-hv68",
"modified": "2022-03-24T00:21:10Z",
"published": "2022-03-10T22:07:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26652"
},
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/pull/2917"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
},
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.4"
},
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-streaming-server/releases/tag/v0.24.3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary file write in nats-server"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.