Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS2022-2022-051

Related Vulnerabilities: CVE-2021-29509   CVE-2021-41136   CVE-2022-23634   CVE-2022-24790  

A flaw was found in rubygem-puma. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. (CVE-2021-29509) An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. (CVE-2021-41136) Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. (CVE-2022-23634) Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard. (CVE-2022-24790)

Source

ALAS2022-2022-051

Amazon Linux 2022 Security Advisory: ALAS-2022-051
Advisory Release Date: 2022-04-19 00:04 Pacific
Advisory Updated Date: 2022-04-22 15:15 Pacific
Severity: Important
Issue Overview:

A flaw was found in rubygem-puma. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. (CVE-2021-29509)

An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. (CVE-2021-41136)

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. (CVE-2022-23634)

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard. (CVE-2022-24790)


Affected Packages:

rubygem-puma


Issue Correction:
Run dnf update --releasever=2022.0.20220419 rubygem-puma to update your system.

New Packages:
aarch64:
    rubygem-puma-debugsource-4.3.12-1.amzn2022.0.1.aarch64
    rubygem-puma-debuginfo-4.3.12-1.amzn2022.0.1.aarch64
    rubygem-puma-4.3.12-1.amzn2022.0.1.aarch64

i686:
    rubygem-puma-debuginfo-4.3.12-1.amzn2022.0.1.i686
    rubygem-puma-debugsource-4.3.12-1.amzn2022.0.1.i686
    rubygem-puma-4.3.12-1.amzn2022.0.1.i686

noarch:
    rubygem-puma-doc-4.3.12-1.amzn2022.0.1.noarch

src:
    rubygem-puma-4.3.12-1.amzn2022.0.1.src

x86_64:
    rubygem-puma-debuginfo-4.3.12-1.amzn2022.0.1.x86_64
    rubygem-puma-debugsource-4.3.12-1.amzn2022.0.1.x86_64
    rubygem-puma-4.3.12-1.amzn2022.0.1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started