CVE-2021-41817

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2021-41817 is a regular expression denial of service (ReDoS) vulnerability in Ruby's date gem. Attackers can cause denial of service by sending specially crafted long strings to Date.parse methods. This affects Ruby applications using vulnerable versions of the date gem.

💻 Affected Systems

Products:

Ruby date gem

Versions: date gem versions through 3.2.0

Operating Systems: All operating systems running Ruby

Default Config Vulnerable: ⚠️ Yes

Notes: Any Ruby application using Date.parse with untrusted input is vulnerable. The vulnerability is in the gem itself, not OS-specific.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion from processing malicious input, leading to service disruption.

🟠

Likely Case

Degraded performance or temporary unavailability of affected endpoints that parse dates from user input.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted long string to Date.parse. The HackerOne report demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1, 3.1.2, 3.0.2, or 2.0.1

Vendor Advisory: https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/

Restart Required: Yes

Instructions:

1. Update the date gem: gem update date
2. Update Gemfile to specify patched version
3. Run bundle update date
4. Restart the Ruby application

🔧 Temporary Workarounds

Input validation and length restriction

all

Validate and limit length of input passed to Date.parse methods

# In Ruby code, validate input before parsing:
if date_string && date_string.length < 100
  Date.parse(date_string)
else
  # Handle invalid input
end

🧯 If You Can't Patch

Implement strict input validation and length limits on all date parsing inputs
Deploy rate limiting and WAF rules to block suspicious patterns in date inputs

🔍 How to Verify

Check if Vulnerable:

Check date gem version: gem list date | grep date

Check Version:

gem list date | grep -E 'date \([0-9]+\.'

Verify Fix Applied:

Verify date gem version is 3.2.1, 3.1.2, 3.0.2, or 2.0.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for date parsing operations
High CPU usage spikes correlated with date parsing requests

Network Indicators:

Requests with unusually long date parameter values
Repeated requests with similar long date strings

SIEM Query:

source="application.log" AND ("Date.parse" OR "date parsing") AND duration>5s

📊 Metadata

CVE ID: CVE-2021-41817

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: January 1, 2022

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Date by Ruby Lang

Date by Ruby Lang

Date by Ruby Lang

Date by Ruby Lang

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Factory by Opensuse

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Linux Enterprise by Suse

Linux Enterprise by Suse

Ruby by Ruby Lang

Ruby by Ruby Lang

Ruby by Ruby Lang

Software Collections by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation and length restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities