If you are running Puma version 4.3.11 or below, you should upgrade your server immediately. If you are running Puma version 5.6.2 or above, you do not need to upgrade. We recommend that all users of Puma 5.6.2 or above upgrade their servers immediately. If you are running Puma 4.3.11 or below, you should upgrade your server immediately. If you are running Puma 5.6.2 or above, you do not need to upgrade. We recommend that all users of Puman 5.6.2 or above upgrade their servers immediately. Puma version 5.6.2 adds the ability to opt-out of the default `close()` behavior on the response body, which is enabled by default. This allows Puma to be used in environments where the response body is expected to be closed, but doesn’t have to be. To enable this behavior, set `puma.close_on_downgrade = false` in your server.rb configuration file. Upgrading to Puma version 5.6.2 or above is recommended for all users of Puma. When upgrading, we recommend setting the following configuration options: 1. `puma.close_on_downgrade = true` – You may set this option to false if you use the default `close()` behavior and it is desired to continue using it. 2. `puma.disable_executor
Upgrading to Puma version 5.7.0
We recommend that all users of Puma 5.6.2 or above upgrade their servers immediately.
Puma version 4.3.11 and below
Puma version 4.3.11 fixes a vulnerability which could allow an attacker to execute arbitrary code on the server with the privileges of the user running Puma. A malicious client can exploit this vulnerability by sending a specially crafted connection response to the server, which leads to arbitrary code execution with the privileges of the user running Puma.
Puma – why is it vulnerable?
The vulnerability has been identified as CVE-2022-23634 and is currently assigned to the vendor Puma. The vulnerability is found in the `close()` method of the Puma class. The close() method closes the response body, which is used by default in most applications, but not all applications. If a connection croaks while you are still processing the response body, you can be left with an unavailable connection.
Puma version 5.6.1 and below
Puma version 5.6.1 fixes a bug in which the `close()` method was not invoked on the response body when using a non-blocking HTTP client such as Net::HTTP or HTTPClient. For this reason, we recommend all users of Puma version 5.6.1 upgrade their servers immediately with the following configuration settings: 1. `puma.close_on_downgrade = false` – You may set this option to true if you use Net::HTTP or HTTPClient and want to continue to use that client on your server. 2. `puma.disable_executor` – You may set this option to true if you use Net::HTTP or HTTPClient and want to continue using them on your server but disable their default executor behavior of closing over time when no longer needed.
Timeline
Published on: 02/11/2022 22:15:00 UTC
Last modified on: 08/27/2022 21:15:00 UTC
References
- https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
- https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
- https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
- https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
- https://github.com/advisories/GHSA-wh98-p28r-vrc9
- https://www.debian.org/security/2022/dsa-5146
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23634