Bug 1561950 (CVE-2018-8777)
Summary: | CVE-2018-8777 ruby: DoS by large request in WEBrick | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bkearney, cbillett, cbuissar, ccoleman, cpelland, dajohnso, dedgar, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jaruga, jfrey, jgoulding, jhardy, jorton, jprause, mtasaka, obarenbo, pvalena, roliveri, ruby-maint, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ruby 2.2.10, ruby 2.3.7, ruby 2.4.4, ruby 2.5.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:19:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1561956, 1561957, 1561958, 1563873, 1563874, 1565258, 1568428, 1568429, 1568430, 1568431, 1568432, 1651798, 1652037, 1652038, 1785432, 1785433, 1785434 | ||
Bug Blocks: | 1561954 |
Description
Adam Mariš
2018-03-29 09:08:24 UTC
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1561957] Statement: This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Upstream patch: > Affected versions: trunk branch: r62965 https://github.com/ruby/ruby/commit/32e277acbf35de454befc1573aff1063a55403cf > Ruby 2.2 series: 2.2.9 and earlier ruby_2_2 branch https://github.com/ruby/ruby/commit/a45622669bb1ff18d3ee9b411128acd839c4263e > Ruby 2.3 series: 2.3.6 and earlier > Ruby 2.4 series: 2.4.3 and earlier > Ruby 2.5 series: 2.5.0 and earlier On ruby_2_N branches, search by "webrick/httpauth/digestauth: stream req.body" or "r62965". Notable comment in the commit. > WARNING! WARNING! WARNING! LIKELY BROKEN CHANGE > > Pass a proc to WEBrick::HTTPRequest#body to avoid reading a > potentially large request body into memory during > authentication. > > WARNING! this will break apps completely which want to do > something with the body besides calculating the MD5 digest of it. > > Also, keep in mind that probably nobody uses "auth-int". > Servers such as Apache, lighttpd, nginx don't seem to > support it; nor does curl when using POST/PUT bodies; > and we didn't have tests for it until now... > trunk branch: r62965 but ruby_2_2 branch's commit is merged from between r62960 and r62965 with new tests. https://github.com/ruby/ruby/commit/a45622669bb1ff18d3ee9b411128acd839c4263e It looks better to merge the commit on ruby_2_2. (In reply to Jun Aruga from comment #9) > > Also, keep in mind that probably nobody uses "auth-int". > > Servers such as Apache, lighttpd, nginx don't seem to > > support it; nor does curl when using POST/PUT bodies; > > and we didn't have tests for it until now... I think this ^^ comment explains, that this is probably corner case, which won't affect too many people. Also, upstream applied the patch at the end, even there was this concern, so let's follow. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3729 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3730 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2018:3731 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2019:2028 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:0542 https://access.redhat.com/errata/RHSA-2020:0542 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:0591 https://access.redhat.com/errata/RHSA-2020:0591 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:0663 https://access.redhat.com/errata/RHSA-2020:0663 |