Bug 1197818 - (CVE-2022-24790) VUL-0: CVE-2022-24790: rubygem-puma: HTTP request smuggling if proxy is not RFC7230 compliant
(CVE-2022-24790)
VUL-0: CVE-2022-24790: rubygem-puma: HTTP request smuggling if proxy is not R...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Jeremy Moffitt
Security Team bot
https://smash.suse.de/issue/327726/
CVSSv3.1:SUSE:CVE-2022-24790:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-31 09:13 UTC by Thomas Leroy
Modified: 2022-10-13 10:20 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-31 09:13:44 UTC
CVE-2022-24790

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack
applications. When using Puma behind a proxy that does not properly validate
that the incoming HTTP request matches the RFC7230 standard, Puma and the
frontend proxy may disagree on where a request starts and ends. This would allow
requests to be smuggled via the front-end proxy to Puma. The vulnerability has
been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as
possible. Workaround: when deploying a proxy in front of Puma, turning on any
and all functionality to make sure that the request matches the RFC7230
standard.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24790
https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24790
http://www.cvedetails.com/cve/CVE-2022-24790/
Comment 1 Thomas Leroy 2022-03-31 09:15:52 UTC
Exact same issue that bsc#1197255. If Cloud8 and Cloud9 deployments are always fronted by haproxy, with every option set to drop packets not respecting RFC7230, the workaround should be enough.
Comment 2 Thomas Leroy 2022-03-31 09:22:28 UTC
However SUSE:SLE-15:Update should be affected
Comment 3 Fergal Mc Carthy 2022-03-31 14:30:08 UTC
(In reply to Thomas Leroy from comment #1)
> Exact same issue that bsc#1197255. If Cloud8 and Cloud9 deployments are
> always fronted by haproxy, with every option set to drop packets not
> respecting RFC7230, the workaround should be enough.

OpenStack (Python based) services are fronted by haproxy but this package is used as part of the SOC Crowbar API, which is not fronted by a proxy when deployed.

So still relevant for SOC 8/9 Crowbar.
Comment 4 Jan Zerebecki 2022-07-21 08:38:14 UTC
Afffected are:
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rubygem-puma
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rubygem-puma
SUSE:SLE-15:Update/rubygem-puma

Cloud packages come from Devel:Cloud:Shared:Rubygem/rubygem-puma , submit there first.
Comment 10 Swamp Workflow Management 2022-09-22 19:19:36 UTC
SUSE-SU-2022:3339-1: An update that fixes 6 vulnerabilities, contains two features is now available.

Category: security (moderate)
Bug References: 1157665,1164139,1191454,1197818,1198398,1201186
CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265
JIRA References: SOC-11662,SOC-8764
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, rubygem-puma-2.16.0-4.18.1
SUSE OpenStack Cloud 9 (src):    ardana-ansible-9.0+git.1660748476.c118d23-3.32.1, ardana-cobbler-9.0+git.1660747489.119efcd-3.19.1, ardana-tempest-9.0+git.1651855288.a2341ad-3.22.1, grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, venv-openstack-heat-11.0.4~dev4-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.41.1, venv-openstack-neutron-13.0.8~dev206-6.41.1, venv-openstack-nova-18.3.1~dev92-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-09-22 19:21:20 UTC
SUSE-SU-2022:3338-1: An update that fixes 7 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1157665,1191454,1193597,1197818,1198398,1201186
CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2021-44716,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265
JIRA References: SOC-11662
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, rubygem-puma-2.16.0-3.18.1
SUSE OpenStack Cloud 8 (src):    ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1
HPE Helion Openstack 8 (src):    ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Christian Almeida de Oliveira 2022-09-27 13:03:46 UTC
SOC 8 and SOC 9 fixes released.
Back to Security team.
Comment 13 Gabriele Sonnu 2022-09-27 14:10:36 UTC
Thanks Christian!

Assigning to Jeremy since he did the last update some months ago.
@Jeremy: could you submit for SUSE:SLE-15:Update?
Comment 14 Jeremy Moffitt 2022-09-27 20:39:01 UTC
submitted MR to update to 4.3.12 at https://build.suse.de/request/show/280957

I don't do too many of these, so hopefully I followed the maintenance instructions correctly, if not I'm happy to re-address the issue.
Comment 15 Swamp Workflow Management 2022-10-13 10:20:16 UTC
SUSE-SU-2022:3571-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197818
CVE References: CVE-2022-24790
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rubygem-puma-4.3.12-150000.3.9.1
openSUSE Leap 15.3 (src):    rubygem-puma-4.3.12-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    rubygem-puma-4.3.12-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-puma-4.3.12-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-puma-4.3.12-150000.3.9.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-puma-4.3.12-150000.3.9.1
SUSE Linux Enterprise High Availability 15 (src):    rubygem-puma-4.3.12-150000.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.