CVE-2022-23837: Contribsys Sidekiq DoS Vulnerability

CVE-2022-23837 Overview

CVE-2022-23837 is a Denial of Service (DoS) vulnerability in Sidekiq, a popular background job processing framework for Ruby applications. The vulnerability exists in api.rb where there is no limit on the number of days when requesting stats for the graph. This allows attackers to overload the system by requesting an excessive number of days of historical data, rendering the Web UI unavailable to legitimate users.

Critical Impact
Attackers can cause complete unavailability of the Sidekiq Web UI by exploiting the unbounded days parameter in stats requests, potentially disrupting monitoring and management of background job processing for affected applications.

Affected Products

Contribsys Sidekiq versions before 5.2.10
Contribsys Sidekiq versions before 6.4.0
Debian Linux 9.0

Discovery Timeline

2022-01-21 - CVE-2022-23837 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-23837

Vulnerability Analysis

This vulnerability is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The flaw resides in the Sidekiq Web UI's statistics endpoint, which allows users to request historical job processing data. The days parameter, which controls how many days of statistics to retrieve, lacks proper input validation and boundary checks.

When an attacker submits a request with an extremely large value for the days parameter, the application attempts to retrieve and process an unreasonable amount of historical data from Redis. This resource exhaustion attack can overwhelm the server's memory and CPU, causing the Web UI to become completely unresponsive. Since Sidekiq stores up to five years of data in Redis, attackers could theoretically request thousands of days of statistics in a single request.

The vulnerability is exploitable over the network without requiring authentication (depending on how the Sidekiq Web UI is deployed), making it a significant risk for publicly exposed or inadequately protected Sidekiq installations.

Root Cause

The root cause is the absence of input validation on the days parameter in two critical locations: the Sidekiq::Stats::History class in lib/sidekiq/api.rb and the main dashboard route in lib/sidekiq/web/application.rb. Without validation, any integer value passed to these components is processed, allowing attackers to force the system to calculate statistics for an arbitrary timeframe.

Attack Vector

An attacker can exploit this vulnerability by sending HTTP requests to the Sidekiq Web UI with a maliciously large days parameter. For example, requesting the dashboard with ?days=999999999 would cause the server to attempt retrieving years worth of daily statistics, exhausting system resources.

The attack requires network access to the Sidekiq Web UI endpoint. No special privileges are required if the Web UI lacks proper authentication controls, which is a common misconfiguration in development and some production environments.

ruby

# Vulnerable code - no validation on days_previous parameter
class History
  def initialize(days_previous, start_date = nil)
    @days_previous = days_previous
    @start_date = start_date || Time.now.utc.to_date
  end

ruby

# Patched code - validates days parameter with reasonable bounds
class History
  def initialize(days_previous, start_date = nil)
    # we only store five years of data in Redis
    raise ArgumentError if days_previous < 1 || days_previous > (5 * 365)
    @days_previous = days_previous
    @start_date = start_date || Time.now.utc.to_date
  end

Source: GitHub Sidekiq Commit

Detection Methods for CVE-2022-23837

Indicators of Compromise

Abnormal HTTP requests to Sidekiq Web UI endpoints containing unusually large days parameter values (e.g., ?days=999999 or higher)
Sudden spikes in memory or CPU usage on servers hosting the Sidekiq Web UI
Web UI becoming unresponsive or returning timeout errors during normal operations
Unusual patterns of repeated requests to the root dashboard endpoint (/)

Detection Strategies

Implement web application firewall (WAF) rules to block requests with days parameter values exceeding 180
Configure application performance monitoring (APM) to alert on resource exhaustion patterns in Ruby/Rails processes
Review web server access logs for requests containing suspicious days parameter values
Monitor Redis connection pool exhaustion and query latency spikes that may indicate exploitation attempts

Monitoring Recommendations

Set up alerts for Sidekiq Web UI response times exceeding normal thresholds
Monitor server resource utilization (CPU, memory) for anomalies coinciding with Web UI requests
Implement rate limiting on the Sidekiq Web UI endpoints to prevent rapid successive DoS attempts
Track and log all parameter values passed to statistics endpoints for forensic analysis

How to Mitigate CVE-2022-23837

Immediate Actions Required

Upgrade Sidekiq to version 5.2.10 or later (for 5.x branch) or version 6.4.0 or later (for 6.x branch)
If immediate upgrade is not possible, restrict access to the Sidekiq Web UI using authentication and IP whitelisting
Implement a reverse proxy or WAF rule to reject requests with days parameter values outside acceptable ranges
Monitor systems for signs of exploitation while patches are being deployed

Patch Information

The vulnerability has been patched in Sidekiq versions 5.2.10 and 6.4.0. The fix adds input validation to ensure the days parameter is within reasonable bounds (1 to 1825 days in the History class, and 1 to 180 days in the web application route).

Security patches are available through the official Sidekiq repository. For detailed patch information, see the GitHub Sidekiq Commit and the Ruby Security Advisory Pull Request.

Debian users should apply updates as described in the Debian LTS Announcement March 2022 and Debian LTS Announcement March 2023.

Workarounds

Place the Sidekiq Web UI behind HTTP Basic Authentication or integrate with your application's authentication system
Use a reverse proxy (nginx, Apache) to filter and reject requests with abnormal days parameter values
Restrict network access to the Sidekiq Web UI to trusted internal networks or VPN-connected users only
Implement request rate limiting on the Web UI endpoints to mitigate DoS impact

ruby

# Rack middleware to validate days parameter before reaching Sidekiq
class SidekiqDaysValidator
  def initialize(app)
    @app = app
  end

  def call(env)
    request = Rack::Request.new(env)
    if request.path =~ /sidekiq/ && request.params['days']
      days = request.params['days'].to_i
      return [400, {}, ['Invalid days parameter']] if days < 1 || days > 180
    end
    @app.call(env)
  end
end

CVE-2022-23837 Overview

Critical Impact
Attackers can cause complete unavailability of the Sidekiq Web UI by exploiting the unbounded days parameter in stats requests, potentially disrupting monitoring and management of background job processing for affected applications.

Affected Products

Contribsys Sidekiq versions before 5.2.10
Contribsys Sidekiq versions before 6.4.0
Debian Linux 9.0

Discovery Timeline

2022-01-21 - CVE-2022-23837 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-23837

Vulnerability Analysis

Root Cause

Attack Vector

ruby

# Vulnerable code - no validation on days_previous parameter
class History
  def initialize(days_previous, start_date = nil)
    @days_previous = days_previous
    @start_date = start_date || Time.now.utc.to_date
  end

ruby

# Patched code - validates days parameter with reasonable bounds
class History
  def initialize(days_previous, start_date = nil)
    # we only store five years of data in Redis
    raise ArgumentError if days_previous < 1 || days_previous > (5 * 365)
    @days_previous = days_previous
    @start_date = start_date || Time.now.utc.to_date
  end

Source: GitHub Sidekiq Commit

Detection Methods for CVE-2022-23837

Indicators of Compromise

Abnormal HTTP requests to Sidekiq Web UI endpoints containing unusually large days parameter values (e.g., ?days=999999 or higher)
Sudden spikes in memory or CPU usage on servers hosting the Sidekiq Web UI
Web UI becoming unresponsive or returning timeout errors during normal operations
Unusual patterns of repeated requests to the root dashboard endpoint (/)

Detection Strategies

Implement web application firewall (WAF) rules to block requests with days parameter values exceeding 180
Configure application performance monitoring (APM) to alert on resource exhaustion patterns in Ruby/Rails processes
Review web server access logs for requests containing suspicious days parameter values
Monitor Redis connection pool exhaustion and query latency spikes that may indicate exploitation attempts

Monitoring Recommendations

Set up alerts for Sidekiq Web UI response times exceeding normal thresholds
Monitor server resource utilization (CPU, memory) for anomalies coinciding with Web UI requests
Implement rate limiting on the Sidekiq Web UI endpoints to prevent rapid successive DoS attempts
Track and log all parameter values passed to statistics endpoints for forensic analysis

How to Mitigate CVE-2022-23837

Immediate Actions Required

Upgrade Sidekiq to version 5.2.10 or later (for 5.x branch) or version 6.4.0 or later (for 6.x branch)
If immediate upgrade is not possible, restrict access to the Sidekiq Web UI using authentication and IP whitelisting
Implement a reverse proxy or WAF rule to reject requests with days parameter values outside acceptable ranges
Monitor systems for signs of exploitation while patches are being deployed

Patch Information

Security patches are available through the official Sidekiq repository. For detailed patch information, see the GitHub Sidekiq Commit and the Ruby Security Advisory Pull Request.

Debian users should apply updates as described in the Debian LTS Announcement March 2022 and Debian LTS Announcement March 2023.

Workarounds

Place the Sidekiq Web UI behind HTTP Basic Authentication or integrate with your application's authentication system
Use a reverse proxy (nginx, Apache) to filter and reject requests with abnormal days parameter values
Restrict network access to the Sidekiq Web UI to trusted internal networks or VPN-connected users only
Implement request rate limiting on the Web UI endpoints to mitigate DoS impact

ruby

# Rack middleware to validate days parameter before reaching Sidekiq
class SidekiqDaysValidator
  def initialize(app)
    @app = app
  end

  def call(env)
    request = Rack::Request.new(env)
    if request.path =~ /sidekiq/ && request.params['days']
      days = request.params['days'].to_i
      return [400, {}, ['Invalid days parameter']] if days < 1 || days > 180
    end
    @app.call(env)
  end
end

CVE-2022-23837: Contribsys Sidekiq DoS Vulnerability

CVE-2022-23837 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-23837

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-23837

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-23837

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-23837: Contribsys Sidekiq DoS Vulnerability

CVE-2022-23837 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-23837

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-23837

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-23837

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform