Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Rack | Rack | 0.4 (including) | 2.2.8.1 (excluding) |
| Rack | Rack | 3.0.0 (including) | 3.0.9.1 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | pcs-0:0.10.18-2.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Telecommunications Update Service | RedHat | pcs-0:0.10.4-6.el8_2.5 | * |
| Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions | RedHat | pcs-0:0.10.4-6.el8_2.5 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | pcs-0:0.10.8-1.el8_4.5 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | pcs-0:0.10.8-1.el8_4.5 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | pcs-0:0.10.12-6.el8_6.5 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | pcs-0:0.10.15-4.el8_8.2 | * |
| Red Hat Enterprise Linux 9 | RedHat | pcs-0:0.11.7-2.el9_4 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | pcs-0:0.11.1-10.el9_0.5 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | pcs-0:0.11.4-7.el9_2.1 | * |
| Red Hat Satellite 6.15 for RHEL 8 | RedHat | rubygem-rack-0:2.2.8.1-1.el8sat | * |
| Red Hat Satellite 6.15 for RHEL 8 | RedHat | rubygem-rack-0:2.2.8.1-1.el8sat | * |
| Ruby-rack | Ubuntu | bionic | * |
| Ruby-rack | Ubuntu | esm-apps/focal | * |
| Ruby-rack | Ubuntu | esm-apps/jammy | * |
| Ruby-rack | Ubuntu | focal | * |
| Ruby-rack | Ubuntu | jammy | * |
| Ruby-rack | Ubuntu | mantic | * |
| Ruby-rack | Ubuntu | noble | * |
| Ruby-rack | Ubuntu | trusty | * |
| Ruby-rack | Ubuntu | upstream | * |
| Ruby-rack | Ubuntu | xenial | * |
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.
Potential Mitigations
Related Attack Patterns
References
- https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
- https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462
- https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49
- https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
- https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
- https://security.netapp.com/advisory/ntap-20240510-0005/
- https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
- https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462
- https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49
- https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
- https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
- https://security.netapp.com/advisory/ntap-20240510-0005/