1918265 – (CVE-2020-36048) CVE-2020-36048 yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport

Bug 1918265 (CVE-2020-36048) - CVE-2020-36048 yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport

Summary: CVE-2020-36048 yarnpkg-socket.io/engine.io: allows attackers to cause a denia...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-36048
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1918267
TreeView+	depends on / blocked

Reported:	2021-01-20 11:07 UTC by Marian Rehak
Modified:	2021-10-28 01:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:	engine.io 4.0.0
Doc Type:	If docs needed, set a value
Doc Text:	An uncontrolled resource consumption vulnerability was found in engine.io. If an attacker crafts a packet with a very large payload length or crafts many small packets, this can cause the engine.io to consume an ever increasing amount of memory and/or CPU, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-10-28 01:43:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-01-20 11:07:52 UTC

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Reference:

https://github.com/bcaller/kill-engine-io
https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b

Comment 1 Mark Cooper 2021-01-27 07:43:24 UTC

Based off the description:
"This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by
malicious clients sending huge amounts of data."

Changing our impact to Important as engine.io can be used in the server sense, and this would constituent as a remote DoS - worst case.

Leaving Quay affects as Low, as these look like dev dependencies to me but want to confirm with engineering first. 

$ npm list --prod | grep engine

Comment 2 Mark Cooper 2021-01-27 07:43:27 UTC

External References:

https://snyk.io/vuln/SNYK-JS-ENGINEIO-1056749

Comment 4 Mark Cooper 2021-01-27 08:22:47 UTC

Upstream fix: https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b

Comment 6 Jason Shepherd 2021-03-31 20:32:36 UTC

Statement:

Red Hat Quay uses engine.io as a dependency of karma. Karma and therefore engine.io are only used at build time, and not during runtime, making this vulnerability low impact for Red Hat Quay.

Note You need to log in before you can comment on or make changes to this bug.