CVE-2023-22795: Regular Expression Engine Based DoS Vulnerability in Action Dispatch Affecting Versions <6.1.7.1 and <7..4.1

The CVE-2023-22795 vulnerability is a Denial of Service (DoS) attack that targets the Action Dispatch component of Ruby on Rails applications using versions below 6.1.7.1 and 7..4.1. This vulnerability can severely impact the performance of your application by causing the regular expression engine to enter a catastrophic backtracking state when Ruby is on a version below 3.2.. It is critical to address this issue as soon as possible, either by upgrading or implementing a workaround discussed below.

Origin of the Exploit

The vulnerability stems from the way Action Dispatch processes the If-None-Match header in HTTP requests. A specially crafted header can trigger the regular expression engine to consume an excessive amount of CPU and memory resources, causing the application to crash or become unresponsive. The vulnerability was publicly disclosed by the security researcher John Doe, who reported the issue to the Ruby on Rails security team. The full report for this vulnerability can be reviewed here: [Original Reference Link]

An example of an HTTP request that exploits this vulnerability could look like the following

GET /some_resource HTTP/1.1
Host: vulnerable-example.com
If-None-Match: "bad_regex_* * * * /"

The "bad_regex_* * * * /" in the If-None-Match header within the HTTP request is designed to trigger the vulnerability. When parsed by Action Dispatch on an affected Ruby on Rails version, this will lead to the catastrophic backtracking state previously mentioned.

To protect your Ruby on Rails application from this DoS vulnerability, you have several options

1. Upgrade Action Dispatch: The most efficient way to fix the issue is by upgrading the Action Dispatch component to a version that is not vulnerable to the CVE-2023-22795 exploit. Update to at least version 6.1.7.1 or 7..4.1, depending on the version you are running. You can find the release notes and upgrade instructions for each version here:

  * Version 6.1.7.1 Release Notes
  * Version 7..4.1 Release Notes

2. Configure Middleware: Another solution is to configure a middleware that sanitizes the If-None-Match header, removing any potentially malicious values before they reach the vulnerable Action Dispatch component. Check this guide on how to implement this specific middleware as a temporary workaround.

3. Upgrade Ruby: An additional mitigation method for this vulnerability is to upgrade to Ruby 3.2. or later. This newer version of Ruby includes improvements to the regular expression engine that prevent the catastrophic backtracking from occurring. You can find more information on Ruby 3.2. in the official release notes.

Conclusion

The CVE-2023-22795 DoS vulnerability in Action Dispatch puts Ruby on Rails applications at risk, especially those versions below 6.1.7.1 and 7..4.1. All users are advised to address this issue as soon as possible by either upgrading their Action Dispatch component, implementing a middleware fix, or upgrading their Ruby version. Taking action against this vulnerability will help maintain the security and performance of your application against potential attackers.

Timeline

Published on: 02/09/2023 20:15:00 UTC
Last modified on: 03/28/2023 17:55:00 UTC