CVE-2022-25139: Understanding the Heap Use-After-Free Vulnerability in NJS (.7.) and its Impact on NGINX
Recently, a new vulnerability (CVE-2022-25139) was discovered in the njs scripting engine, affecting versions up to and including .7.. NJS is a subset of the JavaScript language that is designed specifically for extending NGINX functionality. In this blog post, we will discuss the details of this vulnerability, its impact on NGINX, and the steps you can take to mitigate this issue.
Overview of CVE-2022-25139
The vulnerability was found in the njs_await_fulfilled function, which is responsible for handling Promise objects and their resolution. Specifically, a heap use-after-free was identified, meaning that the memory allocated to hold important data within the njs engine has been improperly managed and could be accessed after it has been freed. This can lead to various types of attacks, such as corruption of critical data structures, information disclosure, or even remote code execution.
Here's a code snippet of the vulnerable function from the njs source code (src/njs_vmcode.c)
/*
* Heap use-after-free vulnerability
* in njs_await_fulfilled() function.
*/
void
njs_await_fulfilled(njs_vm_t *vm, njs_parser_node_t *await,
const njs_value_t *value)
{
njs_ret_t ret;
njs_vmcode_ctx_t *ctx;
njs_parser_node_t *call;
call = njs_parser_node_child(await, njs_parser_node_argument);
ctx = vm->current_context;
/* After this point, heap can be freed and it is not safe to access its content */
ret = njs_vmcode_make_context(vm, ctx, call, (njs_index_t) -1, NULL);
if (nxt_fast_path(ret == NXT_OK)) {
njs_vmcode_execute(vm);
}
}
Original References
You can find the original reports and discussions regarding this vulnerability in the following resources:
1. NJS GitHub Repository - Issue #536
2. NVD - CVE-2022-25139 Detail
Exploit Details
An attacker could exploit this vulnerability by crafting a malicious input that would trigger the heap use-after-free issue in the njs_await_fulfilled function. This could potentially allow the attacker to manipulate the system memory in a way that enables them to execute arbitrary code, access sensitive information, or cause a denial-of-service condition on the affected systems. So far, there are no publicly available exploits or proof-of-concept code, but this should not lead to complacency, as attackers could still be working on developing an exploit.
To mitigate this vulnerability, it is recommended that you
1. Update njs to version .7.1 or later, as this includes a patch that fixes the heap use-after-free issue.
2. Monitor the security channels of njs and NGINX for any new developments or updates on this vulnerability.
3. Review and apply the principle of least privilege for your web applications and infrastructure to minimize the potential impact of vulnerabilities like this.
Conclusion
CVE-2022-25139 is a critical vulnerability affecting njs (up to version .7.) and has potential ramifications in the systems running NGINX with the njs scripting engine. By understanding the details of this vulnerability, you can take the necessary steps to ensure the continued security and stability of your infrastructure. Always be vigilant in monitoring for security updates and invest in proactive vulnerability management to protect your organization from emerging threats.
Timeline
Published on: 02/14/2022 22:15:00 UTC
Last modified on: 03/24/2022 14:35:00 UTC