Subject: nats-server panic via authenticated user NATS-advisory-ID: 2022-05 CVE: CVE-2022-42708 Date: 2022-10-10 Fixed-In: nats-server 2.9.3 Background: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. NATS supports persistent storage via JetStream, which provides RAFT-synchronised clustered/replicated storage for stream messages, with K/V and object stores built atop it. Problem Description: JetStream persistent stores are created via NATS messages on certain Subjects. The nats-server did not adequately sanity-check the desired replica count in the creation message, leading to a server panic. Thus a nats-server with JetStream enabled for a given account can be DoS'd by any authenticated user in that account (barring ACLs preventing JetStream management access). Affected versions: NATS Server: * 2.2.0 up to and including 2.9.2. * Fixed with nats-io/nats-server: 2.9.3 Workarounds: Ensure all untrusted user accounts have ACLs preventing access to $JS Subjects. Solution: Upgrade the NATS server to at least 2.9.3. Credits: This issue was discovered internally by a NATS Maintainer. There is no evidence known to us that this has been exploited. References: * This document is canonically: