Bug 1918265 (CVE-2020-36048)

Summary: CVE-2020-36048 yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, mcooper, osoukup, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: engine.io 4.0.0 Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption vulnerability was found in engine.io. If an attacker crafts a packet with a very large payload length or crafts many small packets, this can cause the engine.io to consume an ever increasing amount of memory and/or CPU, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 01:43:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1918267    

Description Marian Rehak 2021-01-20 11:07:52 UTC 
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Reference:

https://github.com/bcaller/kill-engine-io
https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
Comment 1 Mark Cooper 2021-01-27 07:43:24 UTC 
Based off the description:
"This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by
malicious clients sending huge amounts of data."

Changing our impact to Important as engine.io can be used in the server sense, and this would constituent as a remote DoS - worst case.

Leaving Quay affects as Low, as these look like dev dependencies to me but want to confirm with engineering first. 

$ npm list --prod | grep engine
Comment 2 Mark Cooper 2021-01-27 07:43:27 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749
Comment 4 Mark Cooper 2021-01-27 08:22:47 UTC 
Upstream fix: https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
Comment 6 Jason Shepherd 2021-03-31 20:32:36 UTC 
Statement:

Red Hat Quay uses engine.io as a dependency of karma. Karma and therefore engine.io are only used at build time, and not during runtime, making this vulnerability low impact for Red Hat Quay.