Bug 1182169 - (CVE-2021-22880) VUL-0: CVE-2021-22880: rubygem-activerecord-5.2, rubygem-activerecord-6.0, rubygem-activerecord-5_1,rubygem-activerecord-4_2: REdos in the PostgreSQL adapter in Active Record
(CVE-2021-22880)
VUL-0: CVE-2021-22880: rubygem-activerecord-5.2, rubygem-activerecord-6.0, r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/277824/
CVSSv3.1:SUSE:CVE-2021-22880:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-12 09:06 UTC by Alexandros Toptsoglou
Modified: 2021-11-12 17:18 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
atoptsoglou: needinfo? (mrueckert)


Attachments
cve list (10.49 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
2021-08-09 10:42 UTC, Sreejith Kumar P
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2021-02-12 09:06:44 UTC
CVE-2021-22880

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers
from a regular expression denial of service (REDoS) vulnerability. Carefully
crafted input can cause the input validation in the `money` type of the
PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack. This only impacts Rails
applications that are using PostgreSQL along with money type columns that take
user input.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
https://hackerone.com/reports/1023899
Comment 1 Alexandros Toptsoglou 2021-02-12 09:12:36 UTC
Tracking as affected: 

rubygem-activerecord-4_2 in SLE12
rubygem-activerecord-5_1 in SLE 15 --> provides also to Leap 15.2
rubygem-activerecord-5.2 in Leap 15.2 and Factory 
rubygem-activerecord-6.0 in Factory 

rubygem-activerecord-3_2 is not affected.


Fixes can be found attached  [1]

[1] https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129/1
Comment 3 Sreejith Kumar P 2021-04-30 09:06:28 UTC
Hello,

Any update on this please.

One of our customer on SLES 15 SP2
ruby2.5-rubygem-rails-5_1-5.1.4-1.26.x86_64
https://www.suse.com/security/cve/CVE-2021-22880/

Asking for the fix.

Kindly suggest.


Kind Regards,
Sreejith.
Comment 4 Sreejith Kumar P 2021-05-11 09:43:46 UTC
Hi,

May I request an update on this please ?


Kind Regards,
Sreejith.
Comment 5 Sreejith Kumar P 2021-06-08 06:25:06 UTC
Hi,

Kindly share an update on this please.


Kind Regards,
Sreejith.
Comment 6 Sreejith Kumar P 2021-06-14 07:54:19 UTC
Hello,

It would be great to see an update on this asap please.


Kind Regards,
Sreejith.
Comment 8 Sreejith Kumar P 2021-08-09 10:42:38 UTC
Created attachment 851602 [details]
cve list

Hello,

https://ptf.suse.com/6b116dbea8596aae8332be8912156e22/sles15-sp2-hae/22600/x86_64/20210716

Applied the ptf from the above link and rescanned the server. I could identify that the server still reported the same vulnerabilities, please see the attached file (CVE-List). Request you to suggest further.


Kind Regards,
Sreejith.
Comment 9 Sreejith Kumar P 2021-08-18 10:41:27 UTC
Hello,

Any update, please?


Kind Regards,
Sreejith.
Comment 10 Ali Abdallah 2021-09-15 15:02:28 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> Tracking as affected: 
> 
> rubygem-activerecord-4_2 in SLE12
> rubygem-activerecord-5_1 in SLE15 
> rubygem-activerecord-6.0 in Factory 

I will submit myself MR requests to include the fix for rubygem-activerecord-4_2 in SLE12 and rubygem-activerecord-5_1 in SLE15. In Factory, both rubygem-activerecord-5.2 and rubygem-activerecord-6.0 contain the fix.
Comment 12 Swamp Workflow Management 2021-09-30 19:18:41 UTC
SUSE-SU-2021:3267-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1182169
CVE References: CVE-2021-22880
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-activerecord-4_2-4.2.9-6.6.1
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-activerecord-4_2-4.2.9-6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-11-09 14:20:00 UTC
SUSE-SU-2021:3634-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1182169
CVE References: CVE-2021-22880
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-activerecord-5_1-5.1.4-5.3.3
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-activerecord-5_1-5.1.4-5.3.3
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-activerecord-5_1-5.1.4-5.3.3
SUSE Linux Enterprise High Availability 15 (src):    rubygem-activerecord-5_1-5.1.4-5.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-11-09 14:22:14 UTC
openSUSE-SU-2021:3634-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1182169
CVE References: CVE-2021-22880
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    rubygem-activerecord-5_1-5.1.4-5.3.3
Comment 16 Swamp Workflow Management 2021-11-12 17:18:10 UTC
openSUSE-SU-2021:1468-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1182169
CVE References: CVE-2021-22880
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    rubygem-activerecord-5_1-5.1.4-lp152.4.3.1