[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

[Aaron Patterson]

There is a possible denial of service vulnerability in the multipart parsing

component of Rack.  This vulnerability has been assigned the CVE identifier

CVE-2022-30122.

Versions Affected:  >= 1.2

Not affected:       < 1.2

Fixed Versions:     2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

------

Carefully crafted multipart POST requests can cause Rack's multipart parser to

take much longer than expected, leading to a possible denial of service

vulnerability.

Impacted code will use Rack's multipart parser to parse multipart posts.  This

includes directly using the multipart parser like this:

```

params = Rack::Multipart.parse_multipart(env)

```

But it also includes reading POST data from a Rack request object like this:

```

p request.POST # read POST data

p request.params # reads both query params and POST data

```

All users running an affected release should either upgrade or use one of the

workarounds immediately.

Releases

--------

The FIXED releases are available at the normal locations.

Workarounds

-----------

There are no feasible workarounds for this issue.

Patches

-------

To aid users who aren't able to upgrade immediately we have provided patches for

the two supported release series. They are in git-am format and consist of a

single changeset.

* 2-0-multipart-redos.patch - Patch for 2.0 series

* 2-1-multipart-redos.patch - Patch for 2.1 series

* 2-2-multipart-redos.patch - Patch for 2.2 series

Credits

-------

Thanks to [@ooooooo_q](https://hackerone.com/ooooooo_q?type=user) for reporting this!