iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
💎

Addressing Rack Vulnerabilities! (CVE-2022-44570, CVE-2022-44571, CVE-2022-44572)

に公開
2
Rails
Ruby
Security
tech

On January 18, 2023, Rack vulnerabilities were announced separately from the Ruby on Rails vulnerability[1].

https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125

https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126

https://discuss.rubyonrails.org/t/cve-2022-44572-possible-denial-of-service-vulnerability-in-racks-rfc2183-boundary-parsing/82124

All of these are ReDoS (Regular Expression Denial of Service) issues, and CVE-2022-44571 and CVE-2022-44572 are highly dangerous due to the following characteristics:

  • They are issues in the multipart parsing logic, allowing strings of several MBs to be used for attacks
  • They are triggered when Rails receives an HTTP request
  • No authentication is required for them to be triggered
  • Most Rails servers are affected

CVE-2022-44572 can be attacked with short strings; in the PoC, a 326-byte string resulted in 0.3 seconds of execution time, and a 416-byte string took 22 seconds. If a string exceeding 1MB is sent as an attack, the execution time is expected to exceed one day.

Updating the Rack version to 2.0.9.2, 2.1.4.2, 2.2.6.2, or 3.0.4.1 will resolve the issue.[2]

Additional Notes

If you have updated Ruby to 3.2.0, CVE-2022-44571 does not result in a ReDoS, but CVE-2022-44572 still does. If Regexp.timeout is configured, an error will occur based on the set value, which mitigates the impact. (https://zenn.dev/ooooooo_q/articles/ruby_3_2_redos)

If you are using Unicorn as your server, Unicorn timeouts will occur. You might also have infrastructure-level automatic handling for persistent non-responsive states. In either case, these are effective as mitigation measures, but if the attacker continues to send requests exceeding the number of workers, the server will remain in a state where it is difficult to respond.

In the GitHub Advisory Database, the Severity is set to low, but for CVE-2022-30122, which has exactly the same scope of impact as a past vulnerability, it is set to High. (https://github.com/advisories/GHSA-rqv2-275x-2jq5, https://github.com/advisories/GHSA-hxqx-xwvh-44m2)

脚注

  1. https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released ↩︎

  2. 2.2.6.1 does not include the fix for CVE-2022-44570 https://github.com/rack/rack/blob/v2.2.6.2/CHANGELOG.md ↩︎

Discussion