CVE-2023-22795 – This CVE describes a ReDoS (Regular Expression ... (How to Fix)

Q: How do I fix CVE-2023-22795?

1. Update Ruby on Rails gem: 'bundle update actionpack' 2. Update Gemfile to specify patched version 3. Restart application server 4. Verify update with 'bundle show actionpack'

Q: What is the severity of CVE-2023-22795?

CVE-2023-22795 has a CVSS score of 7.5 (HIGH). This CVE describes a ReDoS (Regular Expression Denial of Service) vulnerability in Ruby on Rails Action Dispatch. Attackers can send specially crafted HTTP If-None-Match headers to cause catastrophic backtracking in the regex engine, consuming excessive CPU and memory. This affects Ruby on Rails applications running on Ruby versions below 3.2.0.

📋 TL;DR

This CVE describes a ReDoS (Regular Expression Denial of Service) vulnerability in Ruby on Rails Action Dispatch. Attackers can send specially crafted HTTP If-None-Match headers to cause catastrophic backtracking in the regex engine, consuming excessive CPU and memory. This affects Ruby on Rails applications running on Ruby versions below 3.2.0.

💻 Affected Systems

Products:

Ruby on Rails Action Dispatch

Versions: Action Dispatch <6.1.7.1 and <7.0.4.1

Operating Systems: All operating systems running affected Ruby/Rails versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when running on Ruby versions below 3.2.0. Ruby 3.2.0+ includes regex engine improvements that prevent this attack.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting multiple applications on shared infrastructure.

🟠

Likely Case

Degraded performance and intermittent service disruptions under attack conditions.

🟢

If Mitigated

Minimal impact with proper rate limiting, request filtering, and updated Ruby versions.

🌐 Internet-Facing: HIGH - Attack requires only HTTP requests and can be performed remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting specific If-None-Match header values but is straightforward for attackers with basic HTTP knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Action Dispatch 6.1.7.1 or 7.0.4.1

Vendor Advisory: https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

Restart Required: Yes

Instructions:

1. Update Ruby on Rails gem: 'bundle update actionpack' 2. Update Gemfile to specify patched version 3. Restart application server 4. Verify update with 'bundle show actionpack'

🔧 Temporary Workarounds

Upgrade Ruby Version

all

Upgrade to Ruby 3.2.0 or later which includes regex engine improvements preventing catastrophic backtracking

rvm install 3.2.0
rbenv install 3.2.0

Request Filtering

all

Implement middleware to filter or sanitize If-None-Match headers before they reach Action Dispatch

🧯 If You Can't Patch

Implement rate limiting and request throttling to limit impact of DoS attempts
Deploy WAF rules to block malicious If-None-Match header patterns

🔍 How to Verify

Check if Vulnerable:

Check Rails version with 'rails --version' and Ruby version with 'ruby --version'. Vulnerable if Rails <6.1.7.1 or <7.0.4.1 AND Ruby <3.2.0

Check Version:

rails --version && ruby --version

Verify Fix Applied:

Verify Rails version >=6.1.7.1 or >=7.0.4.1 AND/OR Ruby version >=3.2.0

📡 Detection & Monitoring

Log Indicators:

Spike in CPU/memory usage
Multiple requests with malformed If-None-Match headers
Increased request processing times

Network Indicators:

HTTP requests with unusually long If-None-Match headers
Repeated requests to same endpoints with varying If-None-Match values

SIEM Query:

source="web_logs" AND (If-None-Match="*{*" OR If-None-Match="*"*" OR If-None-Match="*"*")

📊 Metadata

CVE ID: CVE-2023-22795

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 9, 2023

Last Updated: November 21, 2024

🔗 References

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20240202-0010/
https://www.debian.org/security/2023/dsa-5372 Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20240202-0010/
https://www.debian.org/security/2023/dsa-5372 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22795, you might also want to check these: