Rack (rubygem-rack) versions 2.04 and 2.0.5 are vulnerable to a denial of service due to incorrect buffer size in the multipart parser. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
Created rubygem-rack tracking bugs for this issue:
Affects: fedora-all [bug 1646815]
rubygem-rack as shipped by OpenShift Enterprise 3.1 through 3.4 is version 1.5.2, which is not impacted. Version 1.5.2 does not contain the problematic commit which is reverted by the patch to address this flaw.
Upstream patch on 2.0-stable branch:
OpenShift Enterprise and Red Hat OpenStack Platform optools both ship rubygem-rack 1.5.2, which is not affected by this flaw.
Red Hat Subscription Asset Manager uses rubygem-rack 1.4.5, and is not affected by this flaw.
Red Hat Update Infrastructure ships rubygem-rack version 1.4.2, which is not affected by this flaw.
Red Hat CloudForms versions 4.5 and 4.6 ship rack version 2.0.3, which is not affected by this flaw; while Red Hat CloudForms version 4.7 ships rack version 2.0.6, which already contains the fix for this flaw.
This issue has been addressed in the following products:
Red Hat Satellite 6.6 for RHEL 7
Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Satellite 6.7 contains tfm-ror52-rubygem-rack-2.0.6-1 and hence not vulnerable to this old flaw.