Debian DLA-3023-1 : puma - LTS security update

high Nessus Plugin ID 161515

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3023 advisory.

- In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2. (CVE-2019-16770)

- In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
(CVE-2020-5247)

- Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability. (CVE-2022-23634)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the puma packages.

For Debian 9 stretch, these problems have been fixed in version 3.6.0-1+deb9u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946312

https://security-tracker.debian.org/tracker/source-package/puma

https://www.debian.org/lts/security/2022/dla-3023

https://security-tracker.debian.org/tracker/CVE-2019-16770

https://security-tracker.debian.org/tracker/CVE-2020-5247

https://security-tracker.debian.org/tracker/CVE-2022-23634

https://packages.debian.org/source/stretch/puma

Plugin Details

Severity: High

ID: 161515

File Name: debian_DLA-3023.nasl

Version: 1.2

Type: local

Agent: unix

Published: 5/26/2022

Updated: 5/26/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-5247

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:puma, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2022

Vulnerability Publication Date: 12/5/2019

Reference Information

CVE: CVE-2019-16770, CVE-2020-5247, CVE-2022-23634