Bug 30013

Summary: nats-server new security issue CVE-2022-24450
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, pterjan, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nats-server-2.1.9-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-02-08 22:11:32 CET 
Upstream has issued an advisory on February 7:
https://advisories.nats.io/CVE/CVE-2022-24450.txt

The issue is fixed upstream in 2.7.2.

Mageia 8 is also affected.
David Walser 2022-02-08 22:12:11 CET

Severity: normal => critical
Status comment: (none) => Fixed upstream in 2.7.2
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-09 11:44:28 CET 
Assigning to the package maintainer Pascal.

Assignee: bugsquad => pterjan

Comment 2 Pascal Terjan 2022-05-22 20:33:51 CEST 
Update to 2.7.2 in Cauldron (which required a git snapshot of golang-github-nats-io-jwt and importing golang-github-minio-highwayhash).

I'll look at the fix for 8 but it will take some time.
The large commit to backport is https://github.com/nats-io/nats-server/commit/664e8b92b6906832a78feb07f0f144b8f1ad19f9 and while it will be easy to do the same on older code, almost none of it applies so it will need to be done  manually.

And sadly I can't still the work from Fedora https://bugzilla.redhat.com/show_bug.cgi?id=2056579 as they didn't update it yet :)
Comment 3 Pascal Terjan 2022-05-22 20:52:45 CEST 
That took less than 20 minutes!

Upload in progress:

nats-server-2.1.9-1.1.mga8.src.rpm

compat-golang-github-nats-io-gnatsd-devel-2.1.9-1.1.mga8.noarch.rpm
compat-golang-github-nats-io-server-2-devel-2.1.9-1.1.mga8.noarch.rpm
golang-github-nats-io-server-devel-2.1.9-1.1.mga8.noarch.rpm
nats-server-2.1.9-1.1.mga8.x86_64.rpm
David Walser 2022-05-22 21:04:56 CEST

Version: Cauldron => 8
Assignee: pterjan => qa-bugs
CC: (none) => pterjan
Status comment: Fixed upstream in 2.7.2 => (none)
Whiteboard: MGA8TOO => (none)

Comment 4 Thomas Andrews 2022-06-11 03:32:16 CEST 
I know nothing about this, but decided not to let that stop me...

No previous updates, so I sought information on the Web. A search for "nats" netted me several references to the Washington Nationals baseball team, a website with gardening advice about getting rid of gnats, and a video introduction to NATS on Youtube. I watched some of the video, but at around five minutes into it got hopelessly lost, so no help there.

Installed nats-server, staying away from the developer stuff, and updated with qarepo. No installation issues. Looked at the file list, and saw a systemd service and a command, so I went with that:

# systemctl status nats-server
● nats-server.service - NATS Server
     Loaded: loaded (/usr/lib/systemd/system/nats-server.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
# systemctl start nats-server
# systemctl status nats-server
● nats-server.service - NATS Server
     Loaded: loaded (/usr/lib/systemd/system/nats-server.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-06-10 21:07:54 EDT; 25s ago
   Main PID: 74660 (nats-server)
      Tasks: 8 (limit: 9446)
     Memory: 3.7M
        CPU: 37ms
     CGroup: /system.slice/nats-server.service
             └─74660 /usr/sbin/nats-server -c /etc/nats-server.conf

Jun 10 21:07:54 localhost.localdomain systemd[1]: Started NATS Server.
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.457707 [INF] Starting nats-server ve>
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.457809 [INF] Git commit [not set]
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458154 [INF] Starting http monitor o>
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458313 [INF] Listening for client co>
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458321 [INF] Server id is NB5PURYBEU>
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458325 [INF] Server is ready
Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458844 [INF] Listening for route con>

So far, so good. Tried a harmless command:

$ nats-server -h

Usage: nats-server [options]

Server Options:
    -a, --addr <host>                Bind to host address (default: 0.0.0.0)
    -p, --port <port>                Use port for clients (default: 4222)
    -P, --pid <file>                 File to store PID
    -m, --http_port <port>           Use port for http monitoring
    -ms,--https_port <port>          Use port for https monitoring
    -c, --config <file>              Configuration file
    -sl,--signal <signal>[=<pid>]    Send signal to nats-server process (stop, quit, reopen, reload)
                                     <pid> can be either a PID (e.g. 1) or the path to a PID file (e.g. /var/run/nats-server.pid)
        --client_advertise <string>  Client URL to advertise to other servers
    -t                               Test configuration and exit

Logging Options:
    -l, --log <file>                 File to redirect log output
    -T, --logtime                    Timestamp log entries (default: true)
    -s, --syslog                     Log to syslog or windows event log
    -r, --remote_syslog <addr>       Syslog server addr (udp://localhost:514)
    -D, --debug                      Enable debugging output
    -V, --trace                      Trace the raw protocol
    -VV                              Verbose trace (traces system account as well)
    -DV                              Debug and trace
    -DVV                             Debug and verbose trace (traces system account as well)

Authorization Options:
        --user <user>                User required for connections
        --pass <password>            Password required for connections
        --auth <token>               Authorization token required for connections

TLS Options:
        --tls                        Enable TLS, do not verify clients (default: false)
        --tlscert <file>             Server certificate file
        --tlskey <file>              Private key for server certificate
        --tlsverify                  Enable TLS, verify client certificates
        --tlscacert <file>           Client certificate CA for verification

Cluster Options:
        --routes <rurl-1, rurl-2>    Routes to solicit and connect
        --cluster <cluster-url>      Cluster URL for solicited routes
        --no_advertise <bool>        Advertise known cluster IPs to clients
        --cluster_advertise <string> Cluster URL to advertise to other servers
        --connect_retries <number>   For implicit routes, number of connect retries


Common Options:
    -h, --help                       Show this message
    -v, --version                    Show version
        --help_tls                   TLS help

Lots of options there, plenty of places to get into trouble, so I went with the one option that I understood:

$ nats-server -v
nats-server: v2.1.9

I'm calling that good enough.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2022-06-11 03:35:03 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-06-12 21:43:38 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-06-13 22:45:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0225.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED