websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. Reference: https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv Upstream commit: https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237
Based on upstream links, this is prior to 0.1.4 (not 1.0.4)
Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana and prometheus containers are behind OpenShift OAuth restricting access to the vulnerable websocket-extension to authenticated users only, therefore the impact is Low.
OpenShift (OCP) 4.x includes a vulnerable version of websocket-extension (v0.1.3) in containers openshift4/ose-grafana and openshift4/ose-prometheus. OpenShift ServiceMesh (OSSM) includes a vulnerable version (v0.1.3) in the openshift-service-mesh/grafana-rhel8 container.
External References: https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7662
This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298