CVE-2022-44566
Denial of Service vulnerability in activerecord (RubyGems)
What is CVE-2022-44566 About?
This is a potential denial of service vulnerability in ActiveRecord's PostgreSQL adapter. Providing a 64-bit integer value outside its valid range can force the adapter to treat a column as numeric, leading to an inefficient sequential scan compared to an index scan. This resource-intensive operation can degrade performance and lead to a denial of service. Exploitation requires providing specific out-of-range integer values to ActiveRecord clauses.
Affected Software
- activerecord
- >=7.0.0, <7.0.4.1
- <6.1.7.1
Technical Details
The vulnerability exists in ActiveRecord's PostgreSQL adapter in versions prior to 7.0.4.1 and 6.1.7.1. When a value is provided to an ActiveRecord query clause that exceeds the range of a 64-bit signed integer, the PostgreSQL adapter incorrectly interprets the target column's type as numeric instead of its actual integer type. Subsequently, comparisons between an integer value and a numeric type in PostgreSQL can prevent the use of efficient b-tree indexes, forcing the database to perform a slow sequential scan across the entire table. If this occurs on a large table or is triggered by multiple concurrent requests, it can lead to significant database performance degradation and ultimately a denial of service.
What is the Impact of CVE-2022-44566?
Successful exploitation may allow attackers to disrupt application availability, degrade database performance, or cause the application to become unresponsive by forcing inefficient database operations.
What is the Exploitability of CVE-2022-44566?
Exploiting this vulnerability involves providing user-controlled input that is an integer value wider than a signed 64-bit representation or a float to ActiveRecord clauses. The complexity is moderate, requiring an understanding of integer limits and how specific input types are handled by ActiveRecord and PostgreSQL. No specific authentication is required if the vulnerable input path is accessible to unauthenticated users, making it a remote attack. If input is only accepted from authenticated users, then authentication would be a prerequisite. No special privileges are required. The key risk factor is applications that do not validate user-supplied input's type and range before passing it to ActiveRecord search or comparison clauses, especially against large database tables.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-44566?
Available Upgrade Options
- activerecord
- <6.1.7.1 → Upgrade to 6.1.7.1
- activerecord
- >=7.0.0, <7.0.4.1 → Upgrade to 7.0.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://osv.dev/vulnerability/GHSA-579w-22j4-4749
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2022-44566.yml
- https://nvd.nist.gov/vuln/detail/CVE-2022-44566
- https://makandracards.com/railslts/508019-rails-5-2-lts-changelog#section-jan-20th-2023-rails-version-5-2-8-15
- https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
- https://github.com/rails/rails/releases/tag/v6.1.7.1
- https://github.com/rails/rails/commit/4f44aa9d514e701ada92b5cf08beccf566eeaebf
- https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html
What are Similar Vulnerabilities to CVE-2022-44566?
Similar Vulnerabilities: CVE-2023-28362 , CVE-2023-28846 , CVE-2023-24836 , CVE-2023-5356 , CVE-2023-28156
