The methods for sending and receiving data on a WebSocket accept a CancellationToken, but previously did not implement actual support for cancellation. Activating the cancellation token would result in a no-op, and would not cancel any in progress operations. This provided a potential avenue for DOS, by tying up connections to a server with WebSocket connections that the server could not cancel.
This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2019:0040 https://access.redhat.com/errata/RHSA-2019:0040
References: https://github.com/aspnet/Announcements/issues/334 https://github.com/aspnet/AspNetCore/issues/6487 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0564