Fedora Account System
Red Hat Associate
Red Hat Customer
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20. References: https://snyk.io/vuln/SNYK-JS-SOCKJS-575261 https://github.com/sockjs/sockjs-node/issues/252
In OpenShift 4 the container openshift/ose-prometheus packages a vulnerable version of npm-sockjs (0.3.19). It is present in the Prometheus ReactUI which is unused in OpenShift, but can still be manually accessed via the URL.
Mitigation: There is no mitigation for this issue, the flaw can only be resolved by applying updates.