Subject: nats-server panic via account import loops NATS-advisory-ID: 2022-06 CVE: CVE-2022-42709 Date: 2022-10-10 Fixed-In: nats-server 2.9.3 Background: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. NATS allows for having multiple Accounts, each Account holding Users, where the Account provides a namespace for message Subjects. Exposing messages between accounts uses an Export and Import mechanism to bridge the namespaces. Problem Description: Just as in CVE-2020-28466, there is a way to craft a cycle in exports and imports which will crash the nats-server. Exports and imports can be configured directly in the configuration file, and a loop configured there is a reliability problem, not a security problem. They can also be configured via delegation into the Accounts, which are managed by the tenants of the NATS Operator hierarchy. Deployments using Accounts with Account JWTs are thus susceptible to DoS by any holder of an Account. Affected versions: NATS Server: * 2.0.0 up to and including 2.9.2. * Fixed with nats-io/nats-server: 2.9.3 Workarounds: Suspend the ability of account holders to update their accounts in your account control plane, until you can update the nats-server. Solution: Upgrade the NATS server to at least 2.9.3. Credits: This issue was discovered internally by a NATS Maintainer. There is no evidence known to us that this has been exploited. References: * This document is canonically: