Bug 934800 (CVE-2015-3227)

Summary: VUL-1: CVE-2015-3227: rubygem-activesupport: Possible Denial of Service attack in Active Support
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: adrian.schroeter, astieger, jmassaguerpla, jsegitz, mrueckert, sandeep.sadanandan, tamal.nath
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:RedHat:CVE-2015-3227:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-3227:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: test code

Description Andreas Stieger 2015-06-15 20:02:10 UTC 
EMBARGOED
CRD: 2015-06-16

Possible Denial of Service attack in Active Support

There is a possible denial of service attack in the XML processing in Active
Support. This vulnerability has been assigned the CVE identifier CVE-2015-3227.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     4.2.2, 4.1.11

Impact 
------ 
Specially crafted XML documents can cause applications to raise a
`SystemStackError` and potentially cause a denial of service attack.  This
only impacts applications using REXML or JDOM as their XML processor.  Other
XML processors that Rails supports are not impacted.

All users running an affected release should either upgrade or use one of the work arounds immediately. 

Releases 
-------- 
The FIXED releases are available at the normal locations. 

Workarounds 
----------- 
Use an XML parser that is not impacted by this problem, such as Nokogiri or
LibXML.  You can change the processor like this:

  ActiveSupport::XmlMini.backend = 'Nokogiri'

If you cannot change XML parsers, then adjust
`RUBY_THREAD_MACHINE_STACK_SIZE`.

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 4-2-xml_depth.patch - Patch for 4.2 series 
* 4-1-xml_depth.patch - Patch for 4.1 series 
* 3-2-xml_depth.patch - Patch for 3.2 series 

Please note that only the 4.2.x and 4.1.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits 
------- 

Thanks to Tomek Rabczak from the NCC Group, and Matthew Draper for reporting
this issue.
Comment 5 Swamp Workflow Management 2015-06-15 22:01:32 UTC 
bugbot adjusting priority
Comment 6 Andreas Stieger 2015-06-16 18:35:50 UTC 
public
Comment 9 Jordi Massaguer 2015-07-01 15:15:25 UTC 
openSUSE:13.1                                                               rubygem-activesupport-3_2

openSUSE:13.2                                                               rubygem-activesupport-3_2

openSUSE:Factory                                                            rubygem-activesupport-4_2

in devel project:

devel:languages:ruby:extensions                                             rubygem-activesupport-2_3
devel:languages:ruby:extensions                                             rubygem-activesupport-3_2
devel:languages:ruby:extensions                                             rubygem-activesupport-4_1
devel:languages:ruby:extensions                                             rubygem-activesupport-4_2
Comment 10 Jordi Massaguer 2015-07-01 17:33:03 UTC 
activesupport 4.2.3 is already in Factory which contains the fix. The same for devel:languages:ruby:extensions
Comment 14 Jordi Massaguer 2015-07-03 15:49:40 UTC 
Created attachment 640104 [details]
test code

run "ruby.ruby2.1 test2.rb"

if the version has been patched, you'll get an error of type 

 The document is too deep (REXML::ParseException)


This is what you expect since the default deep is 100.

With the unpatched version, you won't get any error because there is no deep checking, which is what could cause the denial of service.
Comment 22 Bernhard Wiedemann 2015-07-07 15:00:24 UTC 
This is an autogenerated message for OBS integration:
This bug (934800) was mentioned in
https://build.opensuse.org/request/show/315482 13.2+13.1 / rubygem-activesupport-3_2
https://build.opensuse.org/request/show/315483 13.2+13.1 / rubygem-activesupport-3_2
https://build.opensuse.org/request/show/315484 13.2+13.1 / rubygem-activesupport-3_2
Comment 25 Swamp Workflow Management 2015-07-22 13:11:42 UTC 
openSUSE-SU-2015:1279-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 934800
CVE References: CVE-2015-3227
Sources used:
openSUSE 13.2 (src):    rubygem-activesupport-3_2-3.2.17-2.3.1
openSUSE 13.1 (src):    rubygem-activesupport-3_2-3.2.13-3.17.1
Comment 26 Tamal Kanti Nath 2015-09-28 10:04:55 UTC 
*** Bug 934875 has been marked as a duplicate of this bug. ***
Comment 27 Tamal Kanti Nath 2015-09-28 10:37:02 UTC 
Sorry, I have wrongly marked another bug duplicate of this bug. Sorry for the inconvenience.
Comment 30 Swamp Workflow Management 2016-01-07 16:11:44 UTC 
SUSE-SU-2016:0047-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 934800
CVE References: CVE-2015-3227
Sources used:
SUSE Webyast 1.3 (src):    rubygem-activesupport-3_2-3.2.12-0.14.3
SUSE Studio Onsite 1.3 (src):    rubygem-activesupport-3_2-3.2.12-0.14.3
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    rubygem-activesupport-3_2-3.2.12-0.14.3
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    rubygem-activesupport-3_2-3.2.12-0.14.3
SUSE Lifecycle Management Server 1.3 (src):    rubygem-activesupport-3_2-3.2.12-0.14.3
Comment 31 Andreas Stieger 2016-01-12 10:34:11 UTC 
Releasing rubygem-activesupport-4_1 for SUSE-CLOUD-5, closing
Comment 32 Swamp Workflow Management 2016-01-12 14:13:46 UTC 
SUSE-SU-2016:0082-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 934799,934800
CVE References: CVE-2015-3226,CVE-2015-3227
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-activesupport-4_1-4.1.9-9.2