Bug 1209095 (CVE-2023-27530)

Summary:	VUL-0: CVE-2023-27530: rubygem-rack: Denial of service in Multipart MIME parsing
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Cathy Hu <cathy.hu>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	pgajdos, security-team, stoyan.manolov
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/359524/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-27530:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:	1209096
Bug Blocks:

Description Cathy Hu 2023-03-09 09:50:46 UTC

CVE-2023-27530

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.

References:

https://github.com/rubysec/ruby-advisory-db/tree/master/gems/rack/CVE-2023-27530.yml

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27530
https://bugzilla.redhat.com/show_bug.cgi?id=2176477

Comment 1 Cathy Hu 2023-03-09 09:51:16 UTC

Affected:
- SUSE:SLE-12:Update/rubygem-rack    
- SUSE:SLE-15:Update/rubygem-rack    
- openSUSE:Factory/rubygem-rack

Comment 2 Petr Gajdos 2023-03-09 12:31:36 UTC

https://build.opensuse.org/request/show/1070409

Comment 3 Petr Gajdos 2023-03-09 13:21:03 UTC

Submitted for 15/rubygem-rack.

I do not think 12/rubygem-rack is affected by this CVE (no handle_mime_head or mime_parts code).

Comment 4 Petr Gajdos 2023-03-09 13:22:55 UTC

https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388

Comment 6 Cathy Hu 2023-03-09 14:58:31 UTC

okay thanks, adjusting the tracking

Comment 7 Maintenance Automation 2023-03-14 16:30:04 UTC

SUSE-SU-2023:0725-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1209095
CVE References: CVE-2023-27530
Sources used:
openSUSE Leap 15.4 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP1 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rubygem-rack-2.0.8-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Petr Gajdos 2023-03-23 08:25:14 UTC

I believe all fixed.