Headline
CVE-2022-24790: Merge pull request from GHSA-h99w-9q5r-gjq9 · puma/puma@5bb7d20
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
@@ -23,6 +23,8 @@ module Puma
class ConnectionError < RuntimeError; end
class HttpParserError501 < IOError; end
# An instance of this class represents a unique request from a client. # For example, this could be a web request from a browser or from CURL. # @@ -35,7 +37,21 @@ class ConnectionError < RuntimeError; end # Instances of this class are responsible for knowing if # the header and body are fully buffered via the `try_to_finish` method. # They can be used to “time out” a response via the `timeout_at` reader. # class Client
# this tests all values but the last, which must be chunked ALLOWED_TRANSFER_ENCODING = %w[compress deflate gzip].freeze
# chunked body validation CHUNK_SIZE_INVALID = /[^\h]/.freeze CHUNK_VALID_ENDING = "\r\n".freeze
# Content-Length header value validation CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
TE_ERR_MSG = ‘Invalid Transfer-Encoding’
# The object used for a request with no body. All requests with # no body share this one object since it has no state. EmptyBody = NullIO.new @@ -302,24 +318,40 @@ def setup_body body = @parser.body
te = @env[TRANSFER_ENCODING2]
if te if te.include?(“,”) te.split(“,”).each do |part| if CHUNKED.casecmp(part.strip) == 0 return setup_chunked_body(body) end te_lwr = te.downcase if te.include? ‘,’ te_ary = te_lwr.split ‘,’ te_count = te_ary.count CHUNKED te_valid = te_ary[0…-2].all? { |e| ALLOWED_TRANSFER_ENCODING.include? e } if te_ary.last == CHUNKED && te_count == 1 && te_valid @env.delete TRANSFER_ENCODING2 return setup_chunked_body body elsif te_count >= 1 raise HttpParserError , “#{TE_ERR_MSG}, multiple chunked: '#{te}’” elsif !te_valid raise HttpParserError501, “#{TE_ERR_MSG}, unknown value: '#{te}’” end elsif CHUNKED.casecmp(te) == 0 return setup_chunked_body(body) elsif te_lwr == CHUNKED @env.delete TRANSFER_ENCODING2 return setup_chunked_body body elsif ALLOWED_TRANSFER_ENCODING.include? te_lwr raise HttpParserError , “#{TE_ERR_MSG}, single value must be chunked: '#{te}’” else raise HttpParserError501 , “#{TE_ERR_MSG}, unknown value: '#{te}’” end end
@chunked_body = false
cl = @env[CONTENT_LENGTH]
unless cl if cl # cannot contain characters that are not \d if cl =~ CONTENT_LENGTH_VALUE_INVALID raise HttpParserError, “Invalid Content-Length: #{cl.inspect}” end else @buffer = body.empty? ? nil : body @body = EmptyBody set_ready @@ -478,7 +510,13 @@ def decode_chunk(chunk) while !io.eof? line = io.gets if line.end_with?(“\r\n”) len = line.strip.to_i(16) # Puma doesn’t process chunk extensions, but should parse if they’re # present, which is the reason for the semicolon regex chunk_hex = line.strip[/\A[^;]+/] if chunk_hex =~ CHUNK_SIZE_INVALID raise HttpParserError, “Invalid chunk size: '#{chunk_hex}’” end len = chunk_hex.to_i(16) if len == 0 @in_last_chunk = true @body.rewind @@ -509,7 +547,12 @@ def decode_chunk(chunk)
case when got == len write_chunk(part[0…-3]) # to skip the ending \r\n # proper chunked segment must end with “\r\n” if part.end_with? CHUNK_VALID_ENDING write_chunk(part[0…-3]) # to skip the ending \r\n else raise HttpParserError, “Chunk size mismatch” end when got <= len - 2 write_chunk(part) @partial_part_left = len - part.size
Related news
Ubuntu Security Notice 6682-1 - ZeddYu Lu discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue only affected Ubuntu 20.04 LTS. It was discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue only affected Ubuntu 20.04 LTS.
Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.
Red Hat Security Advisory 2022-8532-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Issues addressed include a HTTP request smuggling vulnerability.
Updated Satellite 6.9 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24790: puma-5.6.4: http request smuggling vulnerabilities
Gentoo Linux Security Advisory 202208-28 - Multiple vulnerabilities have been discovered in Puma, the worst of which could result in denial of service. Versions less than 5.6.4 are affected.
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.