Bug 1918265 (CVE-2020-36048)
Summary: | CVE-2020-36048 yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bdettelb, mcooper, osoukup, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | engine.io 4.0.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
An uncontrolled resource consumption vulnerability was found in engine.io. If an attacker crafts a packet with a very large payload length or crafts many small packets, this can cause the engine.io to consume an ever increasing amount of memory and/or CPU, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 01:43:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1918267 |
Description
Marian Rehak
2021-01-20 11:07:52 UTC
Based off the description: "This change reduces the default value from 100 mb to a more sane 1 mb. This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data." Changing our impact to Important as engine.io can be used in the server sense, and this would constituent as a remote DoS - worst case. Leaving Quay affects as Low, as these look like dev dependencies to me but want to confirm with engineering first. $ npm list --prod | grep engine External References: https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749 Statement: Red Hat Quay uses engine.io as a dependency of karma. Karma and therefore engine.io are only used at build time, and not during runtime, making this vulnerability low impact for Red Hat Quay. |