Bug 1845982 (CVE-2020-7662)

Summary: CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alegrand, anpicker, bmontgom, eparis, erooth, gparvin, jburrell, jokerman, jramanat, jweiser, kakkoyun, kconner, lcosic, mloibl, nstielau, pkrupa, rcernich, scorneli, sponnaga, stcannon, surbania, tfister, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: npmjs-websocket-extensions 0.1.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-01 19:27:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1846130, 1846131, 1846138, 1846140, 1846826, 1847294, 1847295    
Bug Blocks: 1845986    

Description Guilherme de Almeida Suckevicz 2020-06-10 14:20:35 UTC 
websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Reference:
https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv

Upstream commit:
https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237
Comment 1 Dave Baker 2020-06-10 20:46:32 UTC 
Based on upstream links, this is prior to 0.1.4 (not 1.0.4)
Comment 8 Mark Cooper 2020-06-16 06:26:13 UTC 
Statement:

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth restricting access to the vulnerable websocket-extension to authenticated users only, therefore the impact is Low.
Comment 10 Mark Cooper 2020-06-16 07:22:42 UTC 
OpenShift (OCP) 4.x includes a vulnerable version of websocket-extension (v0.1.3) in containers openshift4/ose-grafana and openshift4/ose-prometheus.

OpenShift ServiceMesh (OSSM) includes a vulnerable version (v0.1.3) in the openshift-service-mesh/grafana-rhel8 container.
Comment 11 Mark Cooper 2020-06-16 07:35:50 UTC 
External References:

https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv
Comment 13 errata-xmlrpc 2020-07-01 18:46:07 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
Comment 14 Product Security DevOps Team 2020-07-01 19:27:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7662
Comment 15 errata-xmlrpc 2020-07-07 19:33:44 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
Comment 17 errata-xmlrpc 2020-10-27 16:24:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298