ClickCease Multiple Puma Vulnerabilities Fixed in Ubuntu

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Multiple Puma Vulnerabilities Fixed in Ubuntu

by Rohan Timalsina

April 4, 2024 - TuxCare expert team

Puma is a threaded HTTP 1.1 server used for running Ruby web applications. It facilitates communication between web browsers and Ruby applications, handling incoming requests and delivering responses. Recently, the Ubuntu security team released updates to address Puma vulnerabilities in Ubuntu 22.04 LTS and Ubuntu 20.04 LTS releases. In this article, we’ll explore the specifics of these patched vulnerabilities.

 

A Closer Look at Puma Vulnerabilities

 

CVE-2020-11076 & CVE-2020-11077 (CVSS v3 Score: 7.5 High)

These vulnerabilities, discovered by ZeddYu Lu, stemmed from Puma’s incorrect handling of certain headers. A remote attacker could potentially exploit this to launch HTTP Request Smuggling attacks. This issue was specific to Ubuntu 20.04 LTS.

 

CVE-2022-23634 (CVSS v3 Score: 5.9 Medium)

Jean Boussier identified a situation where Puma might not properly release resources after processing HTTP requests. This vulnerability could potentially allow a remote attacker to access sensitive information.

 

CVE-2022-24790 (CVSS v3 Score: 7.5 High)

It was found that Puma incorrectly handled certain malformed headers. This vulnerability could be leveraged by a remote attacker to execute HTTP Request Smuggling attacks.

 

CVE-2023-40175 (CVSS v3 Score: 9.8 Critical)

Similar to the earlier vulnerability, Ben Kallus discovered another instance of Puma mishandling parsing certain headers. This vulnerability also could be exploited for HTTP Request Smuggling attacks.

 

CVE-2024-21647 (CVSS v3 Score: 7.5 High)

Bartek Nowotarski discovered that Puma incorrectly handled parsing certain encoded content. A remote attacker could potentially use this flaw to cause a denial-of-service (DoS) attack.

 

Conclusion

 

Upgrading Puma packages to the latest versions is essential to mitigate these vulnerabilities and safeguard your web applications. It’s advisable to stay updated on the latest security advisories for Puma and other critical software components to maintain a robust security posture.

To ensure the maximum protection of your Ubuntu systems, you can leverage KernelCare Enterprise live patching solution that automatically applies security patches to the running kernel without system restarts or downtime. Besides Ubuntu, KernelCare supports other popular Linux distributions including Debian, CentOS, AlmaLinux, RHEL, Rocky Linux, Oracle Linux, CloudLinux, and more.

 

Source: USN-6682-1

Summary
Multiple Puma Vulnerabilities Fixed in Ubuntu
Article Name
Multiple Puma Vulnerabilities Fixed in Ubuntu
Description
Stay informed about critical Puma vulnerabilities and their potential impact. Learn mitigation strategies to secure your web applications.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!