DOS Vulnerability im Multipart MIME parsing (CVE-2023-27530)


Yesterday, a possible Denial Of Service vulnerability was disclosed for the multipart parser of Rack, which also affects Rails applications. We have backported this fix for all versions of Rails LTS. We have also backported some extra protection mechanisms regarding file handles to Rails LTS 2 - 4. Please see below for potential incompatibilities.

To upgrade, please update both the rails and the rack gem for Rails 2 - 4 LTS, or just the rack gem for Rails 5 LTS.

 

DOS Vulnerability in rack


An attacker was able to send "multipart/form-data" requests with an excessive number of parts which caused a Rails application to consume an unexpected amount of memory and CPU time.

There has always been a limit in place how many parts with filenames a request was allowed to contain, but there was no limit on parts without filenames.

Rack now enforces a limit of a maximum of 4096 parts. This can be increased by setting an environment variable RACK_MULTIPART_TOTAL_PART_LIMIT. Setting it to 0 disables the limit.


Additional DOS protection against requests containing many file parts


We detected an additional issue with requests with a high number of file parts. While there is a limit of 128 files per request, Rails 2 - 4 LTS had no mechanism to actually close and delete those files at the end of a request.

This means that file handles potentially stay around until Ruby's garbage collector collects them, which could potentially lead to file handles being exhausted for the application server; especially on Ruby 1.8.7.

Rails 5+ applications by default include a middleware Rack::TempfileReaper that actively deletes all files created by a request when that request is finished. We have ported and added this middleware to Rails LTS 2 - 4 LTS to address this issue.


Potential breaking change


While we could not detect any problems with our test applications, we suspect that under rare circumstances this change might cause issues. For example:
  • Your application might somehow be unable to deal with a change to the middleware stack.
  • You might have some kind of integration test that depends on tempfiles not being deleted at the end of the request cycle.

In this case, one option would be to remove the middleware using

config.middleware.delete ::Rack::TempfileReaper

in your application.rb / environment.rb.

Best
- the Rails LTS team



Unsubscribe from Rails LTS notifications

makandra GmbH
Werner-von-Siemens-Str. 6
86159 Augsburg
+49 (0) 821 58866 180

CEO: Dr. Thomas Eisenbarth
Commercial register court: Augsburg Municipal Court 
Register number: HRB 24202

Email Marketing Powered by Mailchimp