PT-2023-2284 · Unknown · Unpoly-Rails
Riskweline
·
Published
2023-03-30
·
Updated
2023-04-07
·
CVE-2023-28846
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
unpoly-rails versions prior to 2.7.2.2
Description
The issue is related to a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem. This affects Rails applications operating as an upstream of a load balancer that uses passive health checks. The unpoly-rails gem echoes the request URL as an
X-Up-Location response header. By making a request with exceedingly long URLs, an attacker can cause unpoly-rails to write a large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group, making the application instance unavailable until a configured timeout is reached or until an active healthcheck succeeds.Recommendations
To resolve the issue, upgrade to version 2.7.2.2 or later.
If unable to upgrade, consider the following workarounds:
- Configure the load balancer to use active health checks by periodically requesting a route with a known response that indicates healthiness.
- Configure the load balancer so the maximum size of response headers is at least twice the maximum size of a URL.
- Configure the Rails application to delete redundant
X-Up-Locationheaders set by unpoly-rails by adding the following code to the ApplicationController:
ruby
after action :remove redundant up location header
private
def remove redundant up location header
if request.original url == response.headers['X-Up-Location']
response.headers.delete('X-Up-Location')
end
endExploit
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Unpoly-Rails