Bugzilla – Bug 1197818
VUL-0: CVE-2022-24790: rubygem-puma: HTTP request smuggling if proxy is not RFC7230 compliant
Last modified: 2023-02-17 09:45:26 UTC
CVE-2022-24790 Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24790 https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5 https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790 http://www.cvedetails.com/cve/CVE-2022-24790/
Exact same issue that bsc#1197255. If Cloud8 and Cloud9 deployments are always fronted by haproxy, with every option set to drop packets not respecting RFC7230, the workaround should be enough.
However SUSE:SLE-15:Update should be affected
(In reply to Thomas Leroy from comment #1) > Exact same issue that bsc#1197255. If Cloud8 and Cloud9 deployments are > always fronted by haproxy, with every option set to drop packets not > respecting RFC7230, the workaround should be enough. OpenStack (Python based) services are fronted by haproxy but this package is used as part of the SOC Crowbar API, which is not fronted by a proxy when deployed. So still relevant for SOC 8/9 Crowbar.
Afffected are: SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rubygem-puma SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rubygem-puma SUSE:SLE-15:Update/rubygem-puma Cloud packages come from Devel:Cloud:Shared:Rubygem/rubygem-puma , submit there first.
SUSE-SU-2022:3339-1: An update that fixes 6 vulnerabilities, contains two features is now available. Category: security (moderate) Bug References: 1157665,1164139,1191454,1197818,1198398,1201186 CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265 JIRA References: SOC-11662,SOC-8764 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, rubygem-puma-2.16.0-4.18.1 SUSE OpenStack Cloud 9 (src): ardana-ansible-9.0+git.1660748476.c118d23-3.32.1, ardana-cobbler-9.0+git.1660747489.119efcd-3.19.1, ardana-tempest-9.0+git.1651855288.a2341ad-3.22.1, grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, venv-openstack-heat-11.0.4~dev4-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.41.1, venv-openstack-neutron-13.0.8~dev206-6.41.1, venv-openstack-nova-18.3.1~dev92-3.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3338-1: An update that fixes 7 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1157665,1191454,1193597,1197818,1198398,1201186 CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2021-44716,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265 JIRA References: SOC-11662 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, rubygem-puma-2.16.0-3.18.1 SUSE OpenStack Cloud 8 (src): ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1 HPE Helion Openstack 8 (src): ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SOC 8 and SOC 9 fixes released. Back to Security team.
Thanks Christian! Assigning to Jeremy since he did the last update some months ago. @Jeremy: could you submit for SUSE:SLE-15:Update?
submitted MR to update to 4.3.12 at https://build.suse.de/request/show/280957 I don't do too many of these, so hopefully I followed the maintenance instructions correctly, if not I'm happy to re-address the issue.
SUSE-SU-2022:3571-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197818 CVE References: CVE-2022-24790 JIRA References: Sources used: openSUSE Leap 15.4 (src): rubygem-puma-4.3.12-150000.3.9.1 openSUSE Leap 15.3 (src): rubygem-puma-4.3.12-150000.3.9.1 SUSE Linux Enterprise High Availability 15-SP4 (src): rubygem-puma-4.3.12-150000.3.9.1 SUSE Linux Enterprise High Availability 15-SP3 (src): rubygem-puma-4.3.12-150000.3.9.1 SUSE Linux Enterprise High Availability 15-SP2 (src): rubygem-puma-4.3.12-150000.3.9.1 SUSE Linux Enterprise High Availability 15-SP1 (src): rubygem-puma-4.3.12-150000.3.9.1 SUSE Linux Enterprise High Availability 15 (src): rubygem-puma-4.3.12-150000.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.