Bug 1171517 - VUL-1: CVE-2020-10663: ruby2.1,ruby2.5: Unsafe Object Creation Vulnerability in JSON
Summary: VUL-1: CVE-2020-10663: ruby2.1,ruby2.5: Unsafe Object Creation Vulnerability ...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/255507/
Whiteboard: CVSSv2:NVD:CVE-2020-10663:5.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-12 13:05 UTC by Marcus Meissner
Modified: 2020-07-10 13:03 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-05-12 13:05:54 UTC
+++ This bug was initially created as a clone of Bug #1167244 +++

CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix)

There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem.
Details

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.
Affected versions

    JSON gem 2.2.0 or prior

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Comment 2 Swamp Workflow Management 2020-06-09 13:24:10 UTC
SUSE-SU-2020:1570-1: An update that fixes 42 vulnerabilities is now available.

Category: security (important)
Bug References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275
CVE References: CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 8 (src):    ruby2.1-2.1.9-19.3.2
SUSE OpenStack Cloud 7 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP5 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP4 (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ruby2.1-2.1.9-19.3.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1
SUSE Enterprise Storage 5 (src):    ruby2.1-2.1.9-19.3.2
HPE Helion Openstack 8 (src):    ruby2.1-2.1.9-19.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Alexandros Toptsoglou 2020-07-10 13:03:32 UTC
Done