GHSA-GJRJ-9RJ4-PGWX

Vulnerability from github – Published: 2021-12-15 22:51 – Updated: 2021-12-17 19:33
VLAI?
Summary
DoS Vulnerability from Upstream Actix Web Issues
Details

Impact

This vulnerability affects all users of the perseus deploy functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does not affect all Actix Web applications, but rather results from certain usage patterns which appear to be present in Perseus' server mechanics.

Patches

This vulnerability is addressed in all versions after Perseus v0.3.0-beta.21, which temporarily discontinues the use of perseus-actix-web (until the upstream bug is fixed) and switches to perseus-warp instead, which utilizes Warp.

Additionally, as of Perseus v0.3.0-beta.22, the Actix Web integration has been upgraded to use the latest unstable beta version of Actix Web, which appears to partially resolve this issue (the severity of the memory leak is reduced). However, due to the instability of this version, the default integration will remain Warp for now, and a warning will appear if you attempt to use the Actix Web integration.

Using the Actix Web integration If the instability of the latest beta version of Actix Web is not a concern for you, you can use this integration by adding `-i actix-web` to `perseus serve` and the like. This will print a warning about instability, and will then operate with the beta version. Please report any failures in functionality that are not security-related to the Perseus team by [opening an issue on the repository](https://github.com/arctic-hen7/perseus/issues/new/choose). Note however that switching to the Warp integration requires no code changes whatsoever unless you've ejected, so there are very few disadvantages to this change.

Workarounds

Due to significant infrastructural changes within other Perseus packages that were needed to support Warp, this integration is not backward-compatible with any previous version of Perseus, meaning there are no easily feasible workarounds. If you're only in development though, this vulnerability is irrelevant until you push to production.

CVE Status

Due to GitHub's requirements, a CVE can't be issued for this security advisory because the issue is technically one with Actix Web (though it's only in combination with certain mechanics in the Perseus server that this problem arises).

References

See this upstream issue in Actix Web.

For more information

If you have any questions or comments about this advisory: * Open an issue on this repository * Email me at arctic_hen7@pm.me

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0-beta.21"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "perseus-actix-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0-beta.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-15T21:42:48Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThis vulnerability affects all users of the `perseus deploy` functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from [this upstream issue](https://github.com/actix/actix-web/issues/1780) which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does not affect all Actix Web applications, but rather results from certain usage patterns which appear to be present in Perseus\u0027 server mechanics.\n\n### Patches\nThis vulnerability is addressed in all versions after Perseus `v0.3.0-beta.21`, which temporarily discontinues the use of `perseus-actix-web` (until the upstream bug is fixed) and switches to `perseus-warp` instead, which utilizes [Warp](https://github.com/seanmonstar/warp).\n\nAdditionally, as of Perseus `v0.3.0-beta.22`, the Actix Web integration has been upgraded to use the latest unstable beta version of Actix Web, which appears to partially resolve this issue (the severity of the memory leak is reduced). However, due to the instability of this version, the default integration will remain Warp for now, and a warning will appear if you attempt to use the Actix Web integration.\n\n\u003cdetails\u003e\n\u003csummary\u003eUsing the Actix Web integration\u003c/summary\u003e\n\nIf the instability of the latest beta version of Actix Web is not a concern for you, you can use this integration by adding `-i actix-web` to `perseus serve` and the like. This will print a warning about instability, and will then operate with the beta version. Please report any failures in functionality that are not security-related to the Perseus team by [opening an issue on the repository](https://github.com/arctic-hen7/perseus/issues/new/choose).\n\nNote however that switching to the Warp integration requires no code changes whatsoever unless you\u0027ve ejected, so there are very few disadvantages to this change.\n\n\u003c/details\u003e\n\n### Workarounds\nDue to significant infrastructural changes within other Perseus packages that were needed to support Warp, this integration is not backward-compatible with any previous version of Perseus, meaning there are no easily feasible workarounds. If you\u0027re only in development though, this vulnerability is irrelevant until you push to production.\n\n### CVE Status\n\nDue to GitHub\u0027s requirements, a CVE can\u0027t be issued for this security advisory because the issue is technically one with Actix Web (though it\u0027s only in combination with certain mechanics in the Perseus server that this problem arises).\n\n### References\nSee [this upstream issue](https://github.com/actix/actix-web/issues/1780) in Actix Web.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue on this repository\n* Email me at [arctic_hen7@pm.me](mailto:arctic_hen7@pm.me)\n",
  "id": "GHSA-gjrj-9rj4-pgwx",
  "modified": "2021-12-17T19:33:49Z",
  "published": "2021-12-15T22:51:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/arctic-hen7/perseus/security/advisories/GHSA-gjrj-9rj4-pgwx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actix/actix-web/issues/1780"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/arctic-hen7/perseus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "DoS Vulnerability from Upstream Actix Web Issues"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.