GHSA-6h3m-36w8-hv68

Suggest an improvement
Source
https://github.com/advisories/GHSA-6h3m-36w8-hv68
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-6h3m-36w8-hv68/GHSA-6h3m-36w8-hv68.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6h3m-36w8-hv68
Aliases
Related
Published
2022-03-10T22:07:30Z
Modified
2024-08-21T14:57:11.136064Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Arbitrary file write in nats-server
Details

(This document is canonically: https://advisories.nats.io/CVE/CVE-2022-26652.txt)

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

JetStream is the optional RAFT-based resilient persistent feature of NATS.

Problem Description

The JetStream streams can be backed up and restored via NATS. The backup format is a tar archive file. Inadequate checks on the filenames within the archive file permit a so-called "Zip Slip" attack in the stream restore.

NATS nats-server through 2022-03-09 (fixed in release 2.7.4) did not correctly sanitize elements of the archive file, thus a user of NATS could cause the NATS server to write arbitrary content to an attacker-controlled filename.

Affected versions

NATS Server: * 2.2.0 up to and including 2.7.3. + Introduced with JetStream Restore functionality * Fixed with nats-io/nats-server: 2.7.4 * Docker image: nats https://hub.docker.com/_/nats * NB users of OS package files from our releases: a change in goreleaser defaults, discovered late in the release process, moved the install directory from /usr/local/bin to /usr/bin; we are evaluating the correct solution for subsequent releases, but not recutting this release.

NATS Streaming Server * 0.15.0 up to and including 0.24.2 * Fixed with nats-io/nats-streaming-server: 0.24.3 * Embeds a nats-server, but this server is the old approach which JetStream replaces, so unlikely (but not impossible) to be configured with JS support

Workarounds

  • Disable JetStream for untrusted users.
  • If only one NATS account uses JetStream, such that cross-user attacks are not an issue, and any user in that account with access to the JetStream API is fully trusted anyway, then appropriate sandboxing techniques will prevent exploit.
    • Eg, with systemd, the supplied util/nats-server-hardened.service example configuration demonstrates that NATS runs fine as an unprivileged user under ProtectSystem=strict and PrivateTmp=true restrictions; by only opening a ReadWritePaths hole for the JetStream storage area, the impact of this vulnerability is limited.

Solution

Upgrade the NATS server to at least 2.7.4.

We fully support the util/nats-server-hardened.service configuration for running a NATS server and encourage this approach.

Credits

This issue was reported (on 2022-03-07) to the NATS Maintainers by Yiming Xiang, TIANJI LAB of NSFOCUS.
Thank you / 谢谢你!

Database specific
{
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-10T22:07:30Z",
    "nvd_published_at": "2022-03-10T17:47:00Z",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Go / github.com/nats-io/nats-server/v2

Package

Name
github.com/nats-io/nats-server/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.2.0
Fixed
2.7.4

Go / github.com/nats-io/nats-streaming-server

Package

Name
github.com/nats-io/nats-streaming-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/nats-io/nats-streaming-server

Affected ranges

Type
SEMVER
Events
Introduced
0.15.0
Fixed
0.24.3