{ "threat_severity" : "Moderate", "public_date" : "2024-06-16T00:00:00Z", "bugzilla" : { "description" : "nodejs-ws: denial of service when handling a request with many HTTP headers", "id" : "2292777", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2292777" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", "A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Developer Hub 1.3 on RHEL 9", "release_date" : "2024-11-11T00:00:00Z", "advisory" : "RHBA-2024:9054", "cpe" : "cpe:/a:redhat:rhdh:1.3::el9", "package" : "rhdh/rhdh-hub-rhel9:1.3-124" }, { "product_name" : "RHODF-4.14-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8551", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.14::el9", "package" : "odf4/odf-console-rhel9:v4.14.18-3" }, { "product_name" : "RHODF-4.15-RHEL-9", "release_date" : "2025-06-04T00:00:00Z", "advisory" : "RHSA-2025:8544", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package" : "odf4/odf-console-rhel9:v4.15.14-2" }, { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2024-07-17T00:00:00Z", "advisory" : "RHSA-2024:4591", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/mcg-core-rhel9:v4.16.0-60" }, { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2024-08-19T00:00:00Z", "advisory" : "RHSA-2024:5547", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/mcg-core-rhel9:v4.16.1-2" }, { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2024-09-18T00:00:00Z", "advisory" : "RHSA-2024:6755", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/odf-console-rhel9:v4.16.2-2" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3710", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-ui-rhel8:sha256:0dee713a14ab49d93b52b280d4ca3c6fc1c5f604087c81b755a6715330c91ea7" }, { "product_name" : "Red Hat OpenShift Pipelines 1.15", "release_date" : "2026-03-04T00:00:00Z", "advisory" : "RHSA-2026:3712", "cpe" : "cpe:/a:redhat:openshift_pipelines:1.15::el8", "package" : "openshift-pipelines/pipelines-hub-ui-rhel8:sha256:0dee713a14ab49d93b52b280d4ca3c6fc1c5f604087c81b755a6715330c91ea7" } ], "package_state" : [ { "product_name" : "Cryostat 2", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Under investigation", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Applications 7", "fix_state" : "Fix deferred", "package_name" : "mta/mta-cli-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:7" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Under investigation", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/console-mce-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/multicluster-engine-console-mce-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : ".NET 6.0 on Red Hat Enterprise Linux", "fix_state" : "Out of support scope", "package_name" : "rh-dotnet60-dotnet", "cpe" : "cpe:/a:redhat:rhel_dotnet:6.0" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Not affected", "package_name" : "3scale-system", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Affected", "package_name" : "ansible-automation-platform-25/lightspeed-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-eda-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Ceph Storage 5", "fix_state" : "Not affected", "package_name" : "ceph", "cpe" : "cpe:/a:redhat:ceph_storage:5" }, { "product_name" : "Red Hat Ceph Storage 6", "fix_state" : "Will not fix", "package_name" : "thrift", "cpe" : "cpe:/a:redhat:ceph_storage:6" }, { "product_name" : "Red Hat Ceph Storage 7", "fix_state" : "Affected", "package_name" : "thrift", "cpe" : "cpe:/a:redhat:ceph_storage:7" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Discovery 1", "fix_state" : "Not affected", "package_name" : "discovery-server-container", "cpe" : "cpe:/a:redhat:discovery:1" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Under investigation", "package_name" : "dotnet8.0", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "dotnet6.0", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "ceph", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Under investigation", "package_name" : "dotnet6.0", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Out of support scope", "package_name" : "dotnet7.0", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Under investigation", "package_name" : "dotnet8.0", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Under investigation", "package_name" : "gjs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "polkit", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Under investigation", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Under investigation", "package_name" : "ocs4/mcg-core-rhel8", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces/code-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces/dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Under investigation", "package_name" : "openshift-gitops-1/gitops-operator-bundle", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "nodejs-ws", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Under investigation", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-37890\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-37890\nhttps://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q" ], "name" : "CVE-2024-37890", "mitigation" : { "value" : "The issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. The issue can be mitigated also by seting server.maxHeadersCount to 0.", "lang" : "en:us" }, "csaw" : false }