Bug 1646814 (CVE-2018-16470) - CVE-2018-16470 rubygem-rack: Buffer size in multipart parser allows for denial of service
Summary: CVE-2018-16470 rubygem-rack: Buffer size in multipart parser allows for denia...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16470
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1748337 1748339 1646815 1663573 1666066 1666067 1666068
Blocks: 1646821
TreeView+ depends on / blocked
 
Reported: 2018-11-06 04:31 UTC by Sam Fowler
Modified: 2019-10-22 18:51 UTC (History)
61 users (show)

Fixed In Version: rubygem-rack 2.0.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-22 18:51:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3172 None None None 2019-10-22 12:46:35 UTC

Description Sam Fowler 2018-11-06 04:31:50 UTC
Rack (rubygem-rack) versions 2.04 and 2.0.5 are vulnerable to a denial of service due to incorrect buffer size in the multipart parser. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.


External Reference:

https://groups.google.com/forum/#!msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ

Comment 1 Sam Fowler 2018-11-06 04:32:06 UTC
Created rubygem-rack tracking bugs for this issue:

Affects: fedora-all [bug 1646815]

Comment 2 James Hebden 2018-11-28 04:48:23 UTC
rubygem-rack as shipped by OpenShift Enterprise 3.1 through 3.4 is version 1.5.2, which is not impacted. Version 1.5.2 does not contain the problematic commit which is reverted by the patch to address this flaw.

Comment 3 James Hebden 2018-11-29 06:27:52 UTC
rubygem-rack as shipped by OpenShift Enterprise 3.1 through 3.4 is version 1.5.2, which is not impacted. Version 1.5.2 does not contain the problematic commit which is reverted by the patch to address this flaw.

Comment 6 Riccardo Schirone 2018-12-12 12:13:32 UTC
Upstream patch on 2.0-stable branch:
https://github.com/rack/rack/commit/37c1160b2360074d20858792f23a7eb3afeabebd

Comment 14 Richard Maciel Costa 2019-01-17 15:41:01 UTC
Statement:

OpenShift Enterprise and Red Hat OpenStack Platform optools both ship rubygem-rack 1.5.2, which is not affected by this flaw.

Red Hat Subscription Asset Manager uses rubygem-rack 1.4.5, and is not affected by this flaw.

Red Hat Update Infrastructure ships rubygem-rack version 1.4.2, which is not affected by this flaw.

Red Hat CloudForms versions 4.5 and 4.6 ship rack version 2.0.3, which is not affected by this flaw; while Red Hat CloudForms version 4.7 ships rack version 2.0.6,  which already contains the fix for this flaw.

Comment 19 errata-xmlrpc 2019-10-22 12:46:31 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.6 for RHEL 7

Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172

Comment 20 Product Security DevOps Team 2019-10-22 18:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16470


Note You need to log in before you can comment on or make changes to this bug.