Denial of Service using mime type caching

Question

I am using brakeman(3.5.1) to scan my rails code (4.2.1). Things seem fine. but it gives a issue as below :

denial of service via mime type caching. Please upgrade to Rails 4.2.5.

Now I understand what is Denial of service and mime types are in accept headers of the http request. But how mime type caching causes denial of service.

Can some one please explain how is this caused.

Thanks

Answer 1

The full message is: Rails 4.2.1 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.2.5.

If you searched for CVE-2016-0751, or used the HTML report and clicked on "Denial of Service", or used the JSON output and followed the provided link, you would find the Rails security advisory for CVE-2016-0751 which states:

Possible Object Leak and Denial of Service attack in Action Pack

There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-0751.

Versions Affected: All.

Not affected: None.

Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact

A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.

All users running an affected release should either upgrade or use one of the workarounds immediately.

When an HTTP request is received, it can use an Accept header to specific mime types it expects to receive. These are cached in Rails. An attacker can send lots of different mime types (they don't have to be real) and cause the cache to grow large and use all the available RAM, crashing the server. This is categorized as a Denial of Service attack.

In other words, it is a security vulnerability in a core part of Rails. To address it, upgrade.