[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack
瀏覽次數:2,349 次
跳到第一則未讀訊息
Aaron Patterson
2022年2月11日 下午3:39:252022/2/11
收件者:oss-se...@lists.openwall.com、ruby-sec...@googlegroups.com、rubyonrail...@googlegroups.com
## Impact
Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation.
## Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5.2-information-leak.patch
* 6.0-information-leak.patch
* 6.1-information-leak.patch
* 7.0-information-leak.patch
## Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
```
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
```
## Credits
Thanks to Jean Boussier for fixing this!
1. https://github.com/puma/puma/pull/2812
Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation.
## Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5.2-information-leak.patch
* 6.0-information-leak.patch
* 6.1-information-leak.patch
* 7.0-information-leak.patch
## Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
```
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
```
## Credits
Thanks to Jean Boussier for fixing this!
1. https://github.com/puma/puma/pull/2812
回覆所有人
回覆作者
轉寄
0 則新訊息