Bug 2144970 (CVE-2022-41940)

Summary: CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bdettelb, caswilli, chazlett, gmalinko, hkataria, janstey, jpavlik, jwon, kaycoth, kshier, pdelbell, pjindal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: engine.io 3.6.1, engine.io 6.2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-30 00:16:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2144979, 2147340, 2147341    
Bug Blocks: 2144971    

Description Pedro Sampaio 2022-11-22 19:51:34 UTC 
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

References:

https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085
https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6
https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w
Comment 2 Anten Skrabec 2022-11-23 18:21:39 UTC 
Created pgadmin4 tracking bugs for this issue:

Affects: fedora-37 [bug 2147341]


Created python-socketio tracking bugs for this issue:

Affects: fedora-35 [bug 2147340]
Comment 5 errata-xmlrpc 2023-06-29 20:07:43 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 6 Product Security DevOps Team 2023-06-30 00:16:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41940