CVE-2023-37279
📋 TL;DR
This vulnerability allows denial of service attacks against Faktory web dashboard instances by sending crafted malicious URL query parameters. Attackers can crash the backend server by providing extremely large values for the 'days' parameter, causing excessive memory consumption. All Faktory deployments with the web dashboard enabled prior to version 1.8.0 are affected.
💻 Affected Systems
- Faktory
📦 What is this software?
Faktory by Contribsys
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of the Faktory background job server, causing all queued jobs to fail and requiring manual restart of the service.
Likely Case
Temporary denial of service affecting the web dashboard and potentially the job processing functionality until the server is restarted.
If Mitigated
Minimal impact with proper input validation and memory limits in place, potentially causing only temporary dashboard unavailability.
🎯 Exploit Status
Exploitation requires only sending a crafted HTTP request with a malicious 'days' parameter to the dashboard endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0
Vendor Advisory: https://github.com/contribsys/faktory/security/advisories/GHSA-x4hh-vjm7-g2jv
Restart Required: Yes
Instructions:
1. Stop the Faktory service. 2. Update to version 1.8.0 or later using your package manager or by downloading from GitHub. 3. Restart the Faktory service. 4. Verify the dashboard is accessible and functioning.
🔧 Temporary Workarounds
Disable Web Dashboard
allCompletely disable the vulnerable web dashboard component
Modify Faktory configuration to set 'disable_web' to true or remove web dashboard startup parameters
Network Access Control
linuxRestrict access to the dashboard port using firewall rules
iptables -A INPUT -p tcp --dport 7420 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 7420 -j DROP
🧯 If You Can't Patch
- Implement a reverse proxy or WAF with input validation to filter malicious 'days' parameter values
- Monitor memory usage and restart Faktory automatically if memory consumption exceeds safe thresholds
🔍 How to Verify
Check if Vulnerable:
Check if Faktory version is below 1.8.0 and the web dashboard is enabled in configurationCheck Version:
faktory --version or check the version displayed in the web dashboard interfaceVerify Fix Applied:
Verify Faktory version is 1.8.0 or higher and test dashboard functionality with various 'days' parameter values📡 Detection & Monitoring
Log Indicators:
- High memory usage alerts
- Faktory process crashes
- Repeated HTTP requests with large 'days' parameter values
Network Indicators:
- HTTP GET requests to /dashboard with 'days' parameter containing extremely large values
SIEM Query:
source="faktory.log" AND ("out of memory" OR "panic" OR "crash") OR http.uri.path="/dashboard" AND http.uri.query contains "days="