Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02aDNtLTM2dzgtaHY2OM0xNA
Arbitrary file write in nats-server
(This document is canonically: https://advisories.nats.io/CVE/CVE-2022-26652.txt)
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
JetStream is the optional RAFT-based resilient persistent feature of NATS.
Problem Description
The JetStream streams can be backed up and restored via NATS. The backup format is a tar archive file. Inadequate checks on the filenames within the archive file permit a so-called "Zip Slip" attack in the stream restore.
NATS nats-server through 2022-03-09 (fixed in release 2.7.4) did not correctly sanitize elements of the archive file, thus a user of NATS
could cause the NATS server to write arbitrary content to an attacker-controlled filename.
Affected versions
NATS Server:
- 2.2.0 up to and including 2.7.3.
- Introduced with JetStream Restore functionality
- Fixed with nats-io/nats-server: 2.7.4
- Docker image: nats https://hub.docker.com/_/nats
- NB users of OS package files from our releases: a change in goreleaser defaults, discovered late in the release process, moved the install directory from /usr/local/bin to /usr/bin; we are evaluating the correct solution for subsequent releases, but not recutting this release.
NATS Streaming Server
- 0.15.0 up to and including 0.24.2
- Fixed with nats-io/nats-streaming-server: 0.24.3
- Embeds a nats-server, but this server is the old approach which JetStream replaces, so unlikely (but not impossible) to be
configured with JS support
Workarounds
- Disable JetStream for untrusted users.
- If only one NATS account uses JetStream, such that cross-user attacks are not an issue, and any user in that account with access to the JetStream API is fully trusted anyway, then appropriate sandboxing techniques will prevent exploit.
- Eg, with systemd, the supplied util/nats-server-hardened.service example configuration demonstrates that NATS runs fine as an unprivileged user under ProtectSystem=strict and PrivateTmp=true restrictions; by only opening a ReadWritePaths hole for the JetStream storage area, the impact of this vulnerability is limited.
Solution
Upgrade the NATS server to at least 2.7.4.
We fully support the util/nats-server-hardened.service configuration for running a NATS server and encourage this approach.
Credits
This issue was reported (on 2022-03-07) to the NATS Maintainers by
Yiming Xiang, TIANJI LAB of NSFOCUS.
Thank you / 谢谢你!
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aDNtLTM2dzgtaHY2OM0xNA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-6h3m-36w8-hv68, CVE-2022-26652
References:
- https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68
- https://github.com/nats-io/nats-server/pull/2917
- https://github.com/nats-io/nats-server/releases/tag/v2.7.4
- https://github.com/nats-io/nats-streaming-server/releases/tag/v0.24.3
- https://nvd.nist.gov/vuln/detail/CVE-2022-26652
- https://advisories.nats.io/CVE/CVE-2022-26652.txt
- https://github.com/nats-io/nats-server/releases
- http://www.openwall.com/lists/oss-security/2022/03/10/1
- https://github.com/advisories/GHSA-6h3m-36w8-hv68
Blast Radius: 28.6
Affected Packages
go:github.com/nats-io/nats-streaming-server
Dependent packages: 4,332Dependent repositories: 1,520
Downloads:
Affected Version Ranges: >= 0.15.0, < 0.24.3
Fixed in: 0.24.3
All affected versions: 0.15.0, 0.15.1, 0.16.0, 0.16.2, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.24.1, 0.24.2
All unaffected versions: 0.1.0, 0.2.0, 0.2.2, 0.3.0, 0.3.4, 0.3.6, 0.3.8, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.2, 0.9.0, 0.9.2, 0.10.0, 0.10.2, 0.11.0, 0.11.2, 0.12.0, 0.12.2, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6
go:github.com/nats-io/nats-server/v2
Dependent packages: 6,417Dependent repositories: 24,884
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.7.4
Fixed in: 2.7.4
All affected versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3
All unaffected versions: 2.0.0, 2.0.2, 2.0.4, 2.1.0, 2.1.2, 2.1.4, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.14, 2.9.15, 2.9.16, 2.9.17, 2.9.18, 2.9.19, 2.9.20, 2.9.21, 2.9.22, 2.9.23, 2.9.24, 2.9.25, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.10.9, 2.10.10, 2.10.11, 2.10.12, 2.10.14