Bug 1561950 – CVE-2018-8777 ruby: DoS by large request in WEBrick

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1561950 - (CVE-2018-8777) CVE-2018-8777 ruby: DoS by large request in WEBrick

Summary:	CVE-2018-8777 ruby: DoS by large request in WEBrick

Status:	NEW

Aliases:	CVE-2018-8777

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180328,repor...
Keywords:	Security

Depends On:	1568428 1568429 1568430 1568432 1561956 1561957 1561958 1563873 1563874 1565258 1568431
Blocks:	1561954
	Show dependency tree / graph

Reported:	2018-03-29 05:08 EDT by Adam Mariš
Modified:	2018-07-17 08:34 EDT (History)
CC List:	30 users (show)

See Also:
Fixed In Version:	ruby 2.2.10, ruby 2.3.7, ruby 2.4.4, ruby 2.5.1
Doc Type:	If docs needed, set a value
Doc Text:	It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2018-03-29 05:08:24 EDT

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.

Affected versions:

Ruby 2.2 series: 2.2.9 and earlier
Ruby 2.3 series: 2.3.6 and earlier
Ruby 2.4 series: 2.4.3 and earlier
Ruby 2.5 series: 2.5.0 and earlier

External References:

https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/

Comment 1 Adam Mariš 2018-03-29 05:14:13 EDT

Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1561957]

Comment 8 Andrej Nemec 2018-05-14 11:26:26 EDT

Statement:

This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.

bkearney
cbillett
cbuissar
ccoleman
cpelland
dajohnso
dclarizi
dedgar
dmcphers
gblomqui
gmccullo
gtanzill
hhorak
hhudgeon
jfrey
jgoulding
jhardy
jorton
jprause
mtasaka
obarenbo
pvalena
roliveri
ruby-maint
simaishi
s
strzibny
tomckay
vanmeeuwen+fedora
vondruch