CVE-2021-39228 - Vulnerability Details

Vendors	Products
Linuxfoundation	Tremor

Source	ID	Title
EUVD	EUVD-2021-2093	Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.
Github GHSA	GHSA-mc22-5q92-8v85	Memory Safety Issue when using patch or merge on state and assign the result back to state

Link	Providers
https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e
https://github.com/tremor-rs/tremor-runtime/pull/1217
https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6
https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85

{"containers": {"cna": {"affected": [{"product": "tremor-runtime", "vendor": "tremor-rs", "versions": [{"status": "affected", "version": "> 0.7.2, < 0.11.6"}]}], "descriptions": [{"lang": "en", "value": "Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416: Use After Free", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-825", "description": "CWE-825: Expired Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-17T14:00:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tremor-rs/tremor-runtime/pull/1217"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6"}], "source": {"advisory": "GHSA-mc22-5q92-8v85", "discovery": "UNKNOWN"}, "title": "Memory Safety Issue when using patch or merge on state and assign the result back to state", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39228", "STATE": "PUBLIC", "TITLE": "Memory Safety Issue when using patch or merge on state and assign the result back to state"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tremor-runtime", "version": {"version_data": [{"version_value": "> 0.7.2, < 0.11.6"}]}}]}, "vendor_name": "tremor-rs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416: Use After Free"}]}, {"description": [{"lang": "eng", "value": "CWE-825: Expired Pointer Dereference"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85", "refsource": "CONFIRM", "url": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85"}, {"name": "https://github.com/tremor-rs/tremor-runtime/pull/1217", "refsource": "MISC", "url": "https://github.com/tremor-rs/tremor-runtime/pull/1217"}, {"name": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e", "refsource": "MISC", "url": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e"}, {"name": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6", "refsource": "MISC", "url": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6"}]}, "source": {"advisory": "GHSA-mc22-5q92-8v85", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.328Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tremor-rs/tremor-runtime/pull/1217"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39228", "datePublished": "2021-09-17T14:00:15", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.328Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:tremor:*:*:*:*:*:*:*:*", "matchCriteriaId": "970F7787-81D3-4A1C-B0C2-78D2A9C1D596", "versionEndExcluding": "0.11.6", "versionStartIncluding": "0.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`."}, {"lang": "es", "value": "Tremor es un sistema de procesamiento de eventos para datos no estructurados. Se presenta una vulnerabilidad entre las versiones 0.7.2 y 0.11.6. Esta vulnerabilidad es un problema de seguridad de memoria cuando es usado \"patch\" o \"merge\" en \"state\" y se asigna el resultado de nuevo a \"state\". En este caso, las versiones afectadas de Tremor y el crate tremor-script mantienen referencias a la memoria que podr\u00edan haber sido liberadas ya. Y estas regiones de memoria pueden ser accedidas al recuperar el \"state\", por ejemplo, envi\u00e1ndolo por TCP o HTTP. Esto requiere que el servidor Tremor (o cualquier otro programa usando tremor-script) ejecute un script tremor-script que use la construcci\u00f3n de lenguaje mencionada. El problema ha sido parcheado en la versi\u00f3n 0.11.6, al eliminar la optimizaci\u00f3n y clonando siempre la expresi\u00f3n de destino de una Fusi\u00f3n o Parche. Si no es posible una actualizaci\u00f3n, una posible soluci\u00f3n es evitar la optimizaci\u00f3n introduciendo una variable temporal y no reasignando inmediatamente a \"state\""}], "id": "CVE-2021-39228", "lastModified": "2024-11-21T06:18:57.560", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-17T14:15:08.413", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/pull/1217"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/pull/1217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-825"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object