=================================================================== CERT-Renater Note d'Information No. 2022/VULN189 _____________________________________________________________________ DATE : 31/05/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Rack versions prior to 2.0.9.1, 2.1.4.1, 2.2.3.1. ====================================================================https://groups.google.com/g/rubyonrails-security/c/J4PJo_cB-4c https://groups.google.com/g/rubyonrails-security/c/PqEYO9ARpq0 _____________________________________________________________________ [CVE-2022-30123] Possible shell escape sequence injection vulnerability in Rack Aaron Patterson May 27, 2022, 5:51:03 PM to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30123. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1 Impact ------ Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal. Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this: ``` use Rack::Lint ``` Or ``` use Rack::CommonLogger ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- Remove these middleware from your application Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-0-shell-escape.patch - Patch for 2.0 series * 2-1-shell-escape.patch - Patch for 2.1 series * 2-2-shell-escape.patch - Patch for 2.2 series Credits ------- Thanks to [@vairelt](https://hackerone.com/vairelt) for reporting this _____________________________________________________________________ [CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing Aaron Patterson May 27, 2022, 5:48:27 PM (3 days ago) to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122. Versions Affected: >= 1.2 Not affected: < 1.2 Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1 Impact ------ Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this: ``` params = Rack::Multipart.parse_multipart(env) ``` But it also includes reading POST data from a Rack request object like this: ``` p request.POST # read POST data p request.params # reads both query params and POST data ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-0-multipart-redos.patch - Patch for 2.0 series * 2-1-multipart-redos.patch - Patch for 2.1 series * 2-2-multipart-redos.patch - Patch for 2.2 series Credits ------- Thanks to [@ooooooo_q](https://hackerone.com/ooooooo_q?type=user) for reporting this!  2-2-multipart-redos.patch  2-1-multipart-redos.patch ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================