QID 354428

Date Published: 2022-12-21

QID 354428: Amazon Linux Security Advisory for rubygem-puma : ALAS2022-2022-051

a flaw was found in rubygem-puma.
The fix for( CVE-2019-16770 was incomplete.
The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process.
However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.
A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. (
( CVE-2021-29509) an http request smuggling vulnerability was found in puma.
When using puma with a proxy, which forwards lf characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. (
( CVE-2021-41136) puma is a ruby/rack web server built for parallelism.
Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body.
Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `currentattributes` implementation to work correctly.
The combination of these two behaviors (puma not closing the body + rails executor implementation) causes information leakage.
This problem is fixed in puma versions 5.6.2 and 4.3.11.
This problem is fixed in rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Upgrading to a patched rails _or_ puma version fixes the vulnerability. (
( CVE-2022-23634) puma is a simple, fast, multi-threaded, parallel http 1.1 server for ruby/rack applications.
( CVE-2022-24790)



Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 5 severity.
    • Solution
    Please refer to Amazon advisory: ALAS2022-2022-051 for affected packages and patching details, or update with your package manager.
    Vendor References

    CVEs related to QID 354428

    CVE-2022-23634 | CVE-2021-41136 | CVE-2022-24790 | CVE-2021-29509 |
    Software Advisories
    Advisory ID Software Component Link
    ALAS2022-2022-051 amazon linux 2022 URL Logo alas.aws.amazon.com/AL2022/ALAS-2022-051.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].