Michael Koziarski reports: Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service.
Quoting further details form the upstream advisory draft: Denial of Service Vulnerability in Action View There is a denial of service vulnerability in the header handling component of Action View. This vulnerability has been assigned the CVE identifier CVE-2013-6414. Versions Affected: 3.0.0 and all later versions Not affected: 2.3.x Fixed Versions: 4.0.2, 3.2.16 Impact ------ Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The 4.0.2 & 3.2.16 releases are available at the normal locations. Credits ------- Thanks to Toby Hsieh of SlideShare for reporting the issue to us
Created attachment 831767 [details] Upstream patch for 3.0.x
Created attachment 831769 [details] Upstream patch for 3.2.x
Created attachment 831770 [details] Upstream patch for 4.0.x
Fixed upstream in 3.2.16 and 4.0.2: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg http://seclists.org/oss-sec/2013/q4/400 Upstream commits (3.2 and 4.0): https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068 https://github.com/rails/rails/commit/1ec3806cc8d32e8365a1edbabcda3ef104f62055
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html
Acknowledgements: Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Toby Hsieh as the original reporter.
IssueDescription: A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed.
This issue has been addressed in the following products: Red Hat Subscription Asset Manager 1.4 Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html