FreeBSD: VID-95176BA5-9796-11ED-BFBF-080027F5FEC9 (CVE-2022-44572): rack -- Multiple vulnerabilities
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-95176BA5-9796-11ED-BFBF-080027F5FEC9:
Aaron Patterson reports:
CVE-2022-44570
Carefully crafted input can cause the Range header
parsing component in Rack to take an unexpected amount
of time, possibly resulting in a denial of service
attack vector. Any applications that deal with Range
requests (such as streaming applications, or
applications that serve files) may be impacted.
CVE-2022-44571
Carefully crafted input can cause Content-Disposition
header parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
CVE-2022-44572
Carefully crafted input can cause RFC2183 multipart
boundary parsing in Rack to take an unexpected amount of
time, possibly resulting in a denial of service attack
vector. Any applications that parse multipart posts
using Rack (virtually all Rails applications) are
impacted.
Solution(s)
- freebsd-upgrade-package-rubygem-rack
- freebsd-upgrade-package-rubygem-rack16
- freebsd-upgrade-package-rubygem-rack22
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center