CVE-2022-23837: Sidekiq API Uncontrolled Resource Consumption Leading to Denial-of-Service Vulnerability in Web UI

Sidekiq is a widely used background processing library for Ruby applications. Recently, a vulnerability (CVE-2022-23837) has been discovered that affects Sidekiq versions prior to 5.2.10 and 6.4.. The vulnerability exists in the API and is related to the handling of the number of days when requesting historical job stats for graph generation in the Web UI, which causes resource overconsumption and leads to Denial-of-Service (DoS) for the users of the affected UI.

Vulnerability Description

This vulnerability is caused by a lack of input validation in the API when it comes to the requested number of days for job stats. In other words, an attacker can request a large number of days, leaving the system busy processing the data, which in turn makes the Web UI unresponsive or unavailable to other users. The API doesn't have a limit to the number of days that can be requested, and as a result, the system gets overloaded with excessive resource consumption.

The vulnerable code snippet resides in the api.rb file of Sidekiq

get "/stats" do
  last_x_days = params[:last_x_days].to_i
  # No validation of the 'last_x_days' parameter.
  content_type :json
  Sidekiq::Stats::History.new(last_x_days).to_json
end

As we can see from the code snippet above, the last_x_days input parameter is directly converted to an integer and then passed to the Sidekiq::Stats::History class without any validation. This makes it possible for an attacker to exploit the vulnerability by crafting a request with an excessive number of days, causing resource overconsumption and DoS for the Web UI.

Exploit Details

An attacker can exploit the vulnerability by crafting a custom HTTP GET request to the /stats endpoint of the Sidekiq Web UI:

GET /stats?last_x_days=100000000 HTTP/1.1
Host: target-sidekiq-web-ui-domain.com

The last_x_days parameter determines the number of days for which the system will fetch job stats history. An attacker can set this parameter to a high value to cause resource overconsumption, as described above, thus resulting in a Denial-of-Service attack.

To keep the Web UI responsive to other users, it's crucial to fix this vulnerability on affected Sidekiq versions.

Fix and Recommendations

The vulnerability was addressed in Sidekiq versions 5.2.10 and 6.4.. If you are using an affected version of Sidekiq, it is highly recommended to upgrade your installation to a non-vulnerable version immediately. The patch introduces a limit to the number of days that can be requested in the api.rb file:

get "/stats" do
  last_x_days = [params[:last_x_days].to_i, 30].min
  # Added a limit of 30 days for 'last_x_days' parameter.
  content_type :json
  Sidekiq::Stats::History.new(last_x_days).to_json
end

By applying the patch, the maximum number of days that can be requested in the /stats endpoint is limited to 30 days, preventing resource overconsumption and subsequent DoS attacks.

References

- Original Advisory: https://github.com/mperham/sidekiq/security/advisories/GHSA-54pm-q257-g5wp

Timeline

Published on: 01/21/2022 21:15:00 UTC
Last modified on: 04/25/2022 17:22:00 UTC