Bug 1185771 – VUL-1: CVE-2021-22902: rubygem-actionpack-4_2,rubygem-actionpack-5_1,rubygem-actionpack-3_2: [] Possible Denial of Service vulnerability in Action Dispatch

Bug 1185771 - (CVE-2021-22902) VUL-1: CVE-2021-22902: rubygem-actionpack-4_2,rubygem-actionpack-5_1,rubygem-actionpack-3_2: [] Possible Denial of Service vulnerability in Action Dispatch

(CVE-2021-22902)
Summary:	VUL-1: CVE-2021-22902: rubygem-actionpack-4_2,rubygem-actionpack-5_1,rubygem-...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Marcus Rückert
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/283518/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-05-07 11:38 UTC by Gianluca Gabrielli
Modified:	2021-05-07 12:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-05-07 11:38:10 UTC

CVE-2021-22902

oss-sec
mailing list archives




  By Date  
     
  By Thread  
     
    










[CVE-2021-22902] Possible Denial of Service vulnerability in Action Dispatch



From: Aaron Patterson 
Date: Wed, 5 May 2021 09:36:49 -0700





There is a possible Denial of Service vulnerability in the Mime type parser
of
Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2021-22902.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.0.3.7, 6.1.0.2

Impact
------
There is a possible Denial of Service vulnerability in Action Dispatch.
Carefully crafted Accept headers can cause the mime type parser in Action
Dispatch to do catastrophic backtracking in the regular expression engine.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
The following monkey patch placed in an initializer can be used to work
around
the issue:

```ruby
module Mime
  class Type
    MIME_REGEXP =
/\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch
for 6.0 series
* 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch
for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at
present. Users of earlier unsupported releases are advised to upgrade as
soon
as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.

Credits
-------

Thanks to Security Curious  for reporting this!

-- 
Aaron Patterson
http://tenderlovemaking.com/
Attachment:
6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch
Description: 
Attachment:
6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch
Description: 









  By Date  
     
  By Thread  

Current thread:

[CVE-2021-22902] Possible Denial of Service vulnerability in Action Dispatch Aaron Patterson (May 05)








References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22902
http://seclists.org/oss-sec/2021/q2/99

Comment 1 Gianluca Gabrielli 2021-05-07 11:48:04 UTC

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.0.3.7, 6.1.0.2

Affected package:

 - openSUSE:Factory/rubygem-actionpack-6.0 v.6.0.3.4

Please upgrade to 6.0.3.7