|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: rubygem-activerecord*: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155) | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | jmassaguerpla, meissner, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | maint:released:sle11-sp2:51246 maint:released:sle11-sp1-atk12:51247 | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
attached fix#1
attached fix#2 attached fix#3 |
||
Created attachment 519461 [details]
attached fix#1
Created attachment 519462 [details]
attached fix#2
Created attachment 519463 [details]
attached fix#3
bugbot adjusting priority This is an autogenerated message for OBS integration: This bug (797449) was mentioned in https://build.opensuse.org/request/show/148846 Maintenance / openSUSE-SU-2013:0278-1: An update that solves 5 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 766792,775649,775653,796712,797449,797452,798452,798458,800320 CVE References: CVE-2012-2695,CVE-2012-5664,CVE-2013-0155,CVE-2013-0156,CVE-2013-0333 Sources used: openSUSE 12.2 (src): rubygem-actionmailer-2.3.16-2.5.1, rubygem-actionmailer-2_3-2.3.16-2.5.3, rubygem-actionmailer-3_2-3.2.11-2.9.5, rubygem-actionpack-2.3.16-2.5.1, rubygem-actionpack-2_3-2.3.16-2.13.3, rubygem-actionpack-3_2-3.2.11-3.9.4, rubygem-activemodel-3_2-3.2.11-2.9.2, rubygem-activerecord-2.3.16-3.5.1, rubygem-activerecord-2_3-2.3.16-2.9.2, rubygem-activerecord-3_2-3.2.11-2.9.1, rubygem-activeresource-2.3.16-3.5.1, rubygem-activeresource-2_3-2.3.16-2.5.2, rubygem-activeresource-3_2-3.2.11-2.9.1, rubygem-activesupport-2.3.16-3.5.1, rubygem-activesupport-2_3-2.3.16-3.9.1, rubygem-activesupport-3_2-3.2.11-2.9.1, rubygem-rack-1_1-1.1.5-6.5.1, rubygem-rack-1_2-1.2.7-2.5.1, rubygem-rack-1_3-1.3.9-2.5.1, rubygem-rack-1_4-1.4.1-2.5.1, rubygem-rails-2.3.16-3.5.1, rubygem-rails-2_3-2.3.16-3.5.1, rubygem-rails-3_2-3.2.11-2.9.1, rubygem-railties-3_2-3.2.11-2.9.1, rubygem-sprockets-2_2-2.2.2-2.2 openSUSE 12.1 (src): rubygem-actionmailer-2.3.16-2.7.1, rubygem-actionmailer-2_3-2.3.16-3.9.3, rubygem-actionpack-2.3.16-2.7.1, rubygem-actionpack-2_3-2.3.16-3.16.2, rubygem-activerecord-2.3.16-2.7.1, rubygem-activerecord-2_3-2.3.16-3.12.2, rubygem-activeresource-2.3.16-2.7.1, rubygem-activeresource-2_3-2.3.16-3.9.2, rubygem-activesupport-2.3.16-2.7.1, rubygem-activesupport-2_3-2.3.16-3.13.1, rubygem-rack-1_1-1.1.5-3.5.1, rubygem-rails-2.3.16-2.7.1, rubygem-rails-2_3-2.3.16-3.9.1 openSUSE-SU-2013:0280-1: An update that solves 5 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 766792,775649,775653,796712,797449,797452,798452,798458,800320 CVE References: CVE-2012-2695,CVE-2012-5664,CVE-2013-0155,CVE-2013-0156,CVE-2013-0333 Sources used: openSUSE 11.4 (src): rubygem-actionmailer-2.3.16-0.6.1, rubygem-actionmailer-2_3-2.3.16-0.16.1, rubygem-actionpack-2.3.16-0.6.1, rubygem-actionpack-2_3-2.3.16-0.23.1, rubygem-activerecord-2.3.16-0.6.1, rubygem-activerecord-2_3-2.3.16-0.19.1, rubygem-activeresource-2.3.16-0.6.1, rubygem-activeresource-2_3-2.3.16-0.16.1, rubygem-activesupport-2.3.16-0.6.1, rubygem-activesupport-2_3-2.3.16-0.16.1, rubygem-rack-1.1.5-0.8.1, rubygem-rails-2.3.16-0.6.1, rubygem-rails-2_3-2.3.16-0.12.1 This is an autogenerated message for OBS integration: This bug (797449) was mentioned in https://build.opensuse.org/request/show/155282 Evergreen:11.2 / rubygem-actionpack-2_3 https://build.opensuse.org/request/show/155284 Evergreen:11.2 / rubygem-activerecord-2_3 https://build.opensuse.org/request/show/155286 Evergreen:11.2 / rubygem-activeresource-2_3 https://build.opensuse.org/request/show/155288 Evergreen:11.2 / rubygem-activesupport-2_3 https://build.opensuse.org/request/show/155291 Evergreen:11.2 / rubygem-rails-2_3 Update released for: rubygem-actionmailer-2_3, rubygem-actionpack-2_3, rubygem-activerecord-2_3, rubygem-activeresource-2_3, rubygem-activesupport-2_3, rubygem-rails, rubygem-rails-2_3 Products: SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SUSE-CLOUD 1.0 (x86_64) Update released for: rubygem-actionmailer-2_3, rubygem-actionpack-2_3, rubygem-activerecord-2_3, rubygem-activeresource-2_3, rubygem-activesupport-2_3, rubygem-rails, rubygem-rails-2_3 Products: SLE-SLMS 1.2 (x86_64) SLE-STUDIOONSITE 1.2 (x86_64) SLE-STUDIOONSITERUNNER 1.2 (s390x) SLE-WEBYAST 1.2 (i386, ia64, ppc64, s390x, x86_64) reelased |
Via oss-sec: Unsafe Query Generation Risk in Ruby on Rails There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. +This vulnerability has been assigned the CVE identifier CVE-2013-0155. Versions Affected: 3.x series Not affected: 2.x series Fixed Versions: 3.2.11, 3.1.10, 3.0.19 Impact ------ Due to the way Active Record interprets parameters in combination with the way that JSON +parameters are parsed, it is possible for an attacker to issue unexpected database queries with +"IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values +into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE +clause when most users wouldn't expect it. For example, a system has password reset with token functionality: unless params[:token].nil? user = User.find_by_token(params[:token]) user.reset_password! end An attacker can craft a request such that `params[:token]` will return `[nil]`. The `[nil]` +value will bypass the test for nil, but will still add an "IN ('xyz', NULL)" clause to the SQL +query. Similarly, an attacker can craft a request such that `params[:token]` will return an empty hash. +An empty hash will eliminate the WHERE clause of the query, but can bypass the `nil?` check. Note that this impacts not only dynamic finders (`find_by_*`) but also relations +(`User.where(:name => params[:name])`). All users running an affected release should either upgrade or use one of the work arounds +immediately. All users running an affected release should upgrade immediately. Please note, this +vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address +those issues, you must take action again. If this chance in behavior impacts your application, you can manually decode the original values +from the request like so: ActiveSupport::JSON.decode(request.body) Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- This problem can be mitigated by casting the parameter to a string before passing it to Active +Record. For example: unless params[:token].nil? || params[:token].to_s.empty? user = User.find_by_token(params[:token].to_s) user.reset_password! end Note the parameter is still cast to a string before being sent to Active Record. This is because +an array with a nil value can still bypass the `to_s.empty?` test: >> ['xyz', nil].to_s => "xyz" >> ['xyz', nil].to_s.empty? => false Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two +supported release series. They are in git-am format and consist of a single changeset. * 3-0-null_array_param.patch - Patch for 3.0 series * 3-1-null_array_param.patch - Patch for 3.1 series * 3-2-null_array_param.patch - Patch for 3.2 series Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier +unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the +continued availability of security fixes for unsupported releases. -- Aaron Patterson http://tenderlovemaking.com/