=====================================================================

                               CERT-Renater

                   Note d'Information No. 2021/VULN607
_____________________________________________________________________

DATE                : 16/11/2021

HARDWARE PLATFOR, M(S): /

OPERATING SYSTEM(S): Systems running date gem for Ruby versions prior to
                               3.2.1, 3.1.2, 3.0.2, 2.0.1.

=====================================================================
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
_____________________________________________________________________

CVE-2021-41817: Regular Expression Denial of Service Vunlerability of Date Parsing Methods


Posted by mame on 15 Nov 2021

We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that
include a security fix for a regular expression denial of service
vulnerability (ReDoS) on date parsing methods. An attacker can exploit
this vulnerability to cause an effective DoS attack.


Details

Date  s parsing methods including Date.parse are using Regexps
internally, some of which are vulnerable against regular expression
denial of service.
Applications and libraries that apply such methods to untrusted input
may be affected.


The fix limits the input length up to 128 bytes by default instead of
changing the regexps. This is because Date gem uses many Regexps and it
is possible that there are still undiscovered vulnerable Regexps. For
compatibility, it is allowed to remove the limitation by explicitly
passing limit keywords as nil like Date.parse(str, limit: nil) , but
note that it may take a long time to parse.


Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or
later. You can use gem update date to update it. If you are using
bundler, please add gem "date", ">= 3.2.1" to your Gemfile .


Affected versions

  o date gem 2.0.0 or prior (which are bundled versions with Ruby 2.6
series)
  o date gem 3.0.1 or prior (which are bundled versions with Ruby 2.7 series)
  o date gem 3.1.1 or prior (which are bundled versions with Ruby 3.0 series)
  o date gem 3.2.0 or prior


Credits

Thanks to svalkanov for discovering this issue.


History

  o Originally published at 2021-11-15 08:00:00 (UTC)


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================