CVE-2018-8777: DoS by large request in WEBrick

There is a out-of-memory DoS vulnerability with a large request in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2018-8777.

Details

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.

All users running an affected release should upgrade immediately.

Affected Versions

  • Ruby 2.2 series: 2.2.9 and earlier
  • Ruby 2.3 series: 2.3.6 and earlier
  • Ruby 2.4 series: 2.4.3 and earlier
  • Ruby 2.5 series: 2.5.0 and earlier
  • Ruby 2.6 series: 2.6.0-preview1
  • prior to trunk revision r62965

Credit

Thanks to Eric Wong e@80x24.org for reporting the issue.

History

  • Originally published at 2018-03-28 14:00:00 (UTC)