Bug 2313672 (CVE-2024-45614)

Summary: CVE-2024-45614 rubygem-puma: Header normalization allows for client to clobber proxy set headers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahanwate, anthomas, bbuckingham, caswilli, ehelms, ggainey, juwatts, jvasik, kaycoth, mhulan, nmoumoul, osousa, pcreech, rblanco, rchan, saroy, smallamp, vmugicag, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-puma. In affected versions, clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing an underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables are affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. As a mitigation, Nginx has an underscores_in_headers configuration variable to discard these headers at the proxy level. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2313741, 2313700, 2313701, 2313702, 2313703    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-19 23:20:30 UTC 
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Comment 1 Vít Ondruch 2024-09-20 08:44:10 UTC 
@Avinash why only f39 / f40 trackers were created when all Fedoras are impacted IMHO?

And why I - as a Fedora maintainer of rubygem-puma - am not on CC of this flaw tracker?
Comment 2 Sandipan Roy 2024-09-20 10:49:53 UTC 
Fedora-all tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2313741