401 [CVE-2018-15578] Denial of Service vulnerability in Rails 3.2 LTS (Active Record)

Updated . Posted . Visible to the public.

There is a possible ReDoS (regular expression denial of service) vulnerability in the activerecord gem that is part of Rails LTS. An attacker using a specially crafted request can cause an application with certain vulnerable code to consume an excessive amount of CPU time.

Affected versions: Rails 3.2.22.9 LTS and lower, Rails 3.0.20.12 LTS and lower
Unaffected versions: Rails 2.3 LTS

Note: The flaw is also present in the official non-LTS 3.x version of Active Record, which is no longer maintained. Other non-LTS Rails versions are not affected.

Impact

Specially crafted requests can be used to consume an excessive amount of CPU time. This happens when the application passes
user input to an activerecord query that also uses the .includes method, like this:

Article.includes(:comments).where(title: params[:title])

The request needs to be somewhat large, but it is possible to consume over a minute of CPU time with a 100kB request. Thus, the attack is more effective when the vulnerable code can be reached with a POST request.

Fixes

A fixed version of Rails 3.2 LTS has been released in the usual location.

Credits

Thanks to Pete Brumm for discovering and reporting this issue.

Tobias Kraze
Last edit
Michael Leimstädtner
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to Rails LTS documentation (2018-08-27 12:29)