[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL adapter
1,852 views
Skip to first unread message
Rafael França
Feb 10, 2021, 6:40:22 PM2/10/21
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5
Impact
------
Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.
This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:
```
module ActiveRecord
module ConnectionAdapters
module PostgreSQL
module OID # :nodoc:
class Money < Type::Decimal # :nodoc:
def cast_value(value)
return value unless ::String === value
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end
super(value)
end
end
end
end
end
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5-2-postgresql-money-dos.patch
* 6-0-postgresql-money-dos.patch
* 6-1-postgresql-money-dos.patch
Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
-------
Thanks to @dee-see from HackerOne for reporting this issue!
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5
Impact
------
Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.
This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:
```
module ActiveRecord
module ConnectionAdapters
module PostgreSQL
module OID # :nodoc:
class Money < Type::Decimal # :nodoc:
def cast_value(value)
return value unless ::String === value
value = value.sub(/^\((.+)\)$/, '-\1') # (4)
case value
when /^-?\D*+[\d,]+\.\d{2}$/ # (1)
value.gsub!(/[^-\d.]/, "")
when /^-?\D*+[\d.]+,\d{2}$/ # (2)
value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
end
super(value)
end
end
end
end
end
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5-2-postgresql-money-dos.patch
* 6-0-postgresql-money-dos.patch
* 6-1-postgresql-money-dos.patch
Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
-------
Thanks to @dee-see from HackerOne for reporting this issue!
Reply all
Reply to author
Forward
0 new messages