CVE-2022-29946.txt

Subject: Negative user permissions not enforced in one scenario

NATS-advisory-ID: 2022-04
CVE: CVE-2022-29946
Date: 2022-05-04
Fixed-In: nats-server 2.8.2; nats-streaming-server 0.24.6

Background:

NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.

NATS supports users (optionally within accounts) and users can have ACL
rules restricting their access to NATS subjects.  The ACLs can be in
server configuration or in the user JWT signed by an account signing key.


Problem Description:

If an ACL for a user includes a positive permission to subscribe to a
wildcard subject and a negative permission to a particular subject which
is matched by that wildcard, then in some situations a queue subscriber
to the wildcard would receive the messages on the subject which is
configured to be denied.

Thus the ability to subscribe to that subject was correctly enforced,
but the implicit ability to receive that subject via a queue
subscription on the wildcard did not receive an implicit filter to hide
the denied subjects.


Affected versions:

NATS Server:
 * 2.0.0 up to and including 2.8.1.
 * Fixed with nats-io/nats-server: 2.8.2
 * Docker image:  nats <https://hub.docker.com/_/nats>

NATS Streaming Server
 * 0.15.0 up to and including 0.24.5
 * Fixed with nats-io/nats-streaming-server: 0.24.6


Workarounds:

Recraft user permission rules to only add access, never try to deny it.


Solution:

Upgrade the NATS server to at least 2.8.2.


Credits:

This issue was discovered internally by a NATS Maintainer.
There is no evidence known to us that this has been exploited.


References:

 * This document is canonically:
   <https://advisories.nats.io/CVE/CVE-2022-29946.txt>
 * MITRE CVE entry:
   <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29946>