Bug 797449 - VUL-0: rubygem-activerecord*: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
VUL-0: rubygem-activerecord*: Unsafe Query Generation Risk in Ruby on Rails (...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:51246 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-09 08:34 UTC by Sebastian Krahmer
Modified: 2013-06-14 06:58 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
attached fix#1 (7.46 KB, patch)
2013-01-09 08:35 UTC, Sebastian Krahmer
Details | Diff
attached fix#2 (7.35 KB, patch)
2013-01-09 08:36 UTC, Sebastian Krahmer
Details | Diff
attached fix#3 (7.33 KB, patch)
2013-01-09 08:36 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2013-01-09 08:34:04 UTC
Via oss-sec:

Unsafe Query Generation Risk in Ruby on Rails

There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.
+This vulnerability has been assigned the CVE identifier CVE-2013-0155.

Versions Affected:  3.x series
Not affected:       2.x series
Fixed Versions:     3.2.11, 3.1.10, 3.0.19

Impact
------

Due to the way Active Record interprets parameters in combination with the way that JSON
+parameters are parsed, it is possible for an attacker to issue unexpected database queries with
+"IS NULL" or empty where clauses.  This issue does *not* let an attacker insert arbitrary values
+into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE
+clause when most users wouldn't expect it.

For example, a system has password reset with token functionality:

    unless params[:token].nil?
      user = User.find_by_token(params[:token])
      user.reset_password!
    end

An attacker can craft a request such that `params[:token]` will return `[nil]`.  The `[nil]`
+value will bypass the test for nil, but will still add an "IN ('xyz', NULL)" clause to the SQL
+query.

Similarly, an attacker can craft a request such that `params[:token]` will return an empty hash.
+An empty hash will eliminate the WHERE clause of the query, but can bypass the `nil?` check.

Note that this impacts not only dynamic finders (`find_by_*`) but also relations
+(`User.where(:name => params[:name])`).

All users running an affected release should either upgrade or use one of the work arounds
+immediately. All users running an affected release should upgrade immediately. Please note, this
+vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694.  Even if you upgraded to address
+those issues, you must take action again.

If this chance in behavior impacts your application, you can manually decode the original values
+from the request like so:

    ActiveSupport::JSON.decode(request.body)

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
This problem can be mitigated by casting the parameter to a string before passing it to Active
+Record.  For example:

    unless params[:token].nil? || params[:token].to_s.empty?
      user = User.find_by_token(params[:token].to_s)
      user.reset_password!
    end

Note the parameter is still cast to a string before being sent to Active Record. This is because
+an array with a nil value can still bypass the `to_s.empty?` test:

    >> ['xyz', nil].to_s
    => "xyz"
    >> ['xyz', nil].to_s.empty?
    => false

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two
+supported release series.  They are in git-am format and consist of a single changeset.

* 3-0-null_array_param.patch - Patch for 3.0 series
* 3-1-null_array_param.patch - Patch for 3.1 series
* 3-2-null_array_param.patch - Patch for 3.2 series

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier
+unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the
+continued availability of security fixes for unsupported releases.

--
Aaron Patterson
http://tenderlovemaking.com/
Comment 1 Sebastian Krahmer 2013-01-09 08:35:40 UTC
Created attachment 519461 [details]
attached fix#1
Comment 2 Sebastian Krahmer 2013-01-09 08:36:14 UTC
Created attachment 519462 [details]
attached fix#2
Comment 3 Sebastian Krahmer 2013-01-09 08:36:35 UTC
Created attachment 519463 [details]
attached fix#3
Comment 4 Swamp Workflow Management 2013-01-09 23:00:21 UTC
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2013-01-17 16:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (797449) was mentioned in
https://build.opensuse.org/request/show/148846 Maintenance /
Comment 6 Swamp Workflow Management 2013-02-12 09:11:46 UTC
openSUSE-SU-2013:0278-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 766792,775649,775653,796712,797449,797452,798452,798458,800320
CVE References: CVE-2012-2695,CVE-2012-5664,CVE-2013-0155,CVE-2013-0156,CVE-2013-0333
Sources used:
openSUSE 12.2 (src):    rubygem-actionmailer-2.3.16-2.5.1, rubygem-actionmailer-2_3-2.3.16-2.5.3, rubygem-actionmailer-3_2-3.2.11-2.9.5, rubygem-actionpack-2.3.16-2.5.1, rubygem-actionpack-2_3-2.3.16-2.13.3, rubygem-actionpack-3_2-3.2.11-3.9.4, rubygem-activemodel-3_2-3.2.11-2.9.2, rubygem-activerecord-2.3.16-3.5.1, rubygem-activerecord-2_3-2.3.16-2.9.2, rubygem-activerecord-3_2-3.2.11-2.9.1, rubygem-activeresource-2.3.16-3.5.1, rubygem-activeresource-2_3-2.3.16-2.5.2, rubygem-activeresource-3_2-3.2.11-2.9.1, rubygem-activesupport-2.3.16-3.5.1, rubygem-activesupport-2_3-2.3.16-3.9.1, rubygem-activesupport-3_2-3.2.11-2.9.1, rubygem-rack-1_1-1.1.5-6.5.1, rubygem-rack-1_2-1.2.7-2.5.1, rubygem-rack-1_3-1.3.9-2.5.1, rubygem-rack-1_4-1.4.1-2.5.1, rubygem-rails-2.3.16-3.5.1, rubygem-rails-2_3-2.3.16-3.5.1, rubygem-rails-3_2-3.2.11-2.9.1, rubygem-railties-3_2-3.2.11-2.9.1, rubygem-sprockets-2_2-2.2.2-2.2
openSUSE 12.1 (src):    rubygem-actionmailer-2.3.16-2.7.1, rubygem-actionmailer-2_3-2.3.16-3.9.3, rubygem-actionpack-2.3.16-2.7.1, rubygem-actionpack-2_3-2.3.16-3.16.2, rubygem-activerecord-2.3.16-2.7.1, rubygem-activerecord-2_3-2.3.16-3.12.2, rubygem-activeresource-2.3.16-2.7.1, rubygem-activeresource-2_3-2.3.16-3.9.2, rubygem-activesupport-2.3.16-2.7.1, rubygem-activesupport-2_3-2.3.16-3.13.1, rubygem-rack-1_1-1.1.5-3.5.1, rubygem-rails-2.3.16-2.7.1, rubygem-rails-2_3-2.3.16-3.9.1
Comment 7 Swamp Workflow Management 2013-02-12 10:05:19 UTC
openSUSE-SU-2013:0280-1: An update that solves 5 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 766792,775649,775653,796712,797449,797452,798452,798458,800320
CVE References: CVE-2012-2695,CVE-2012-5664,CVE-2013-0155,CVE-2013-0156,CVE-2013-0333
Sources used:
openSUSE 11.4 (src):    rubygem-actionmailer-2.3.16-0.6.1, rubygem-actionmailer-2_3-2.3.16-0.16.1, rubygem-actionpack-2.3.16-0.6.1, rubygem-actionpack-2_3-2.3.16-0.23.1, rubygem-activerecord-2.3.16-0.6.1, rubygem-activerecord-2_3-2.3.16-0.19.1, rubygem-activeresource-2.3.16-0.6.1, rubygem-activeresource-2_3-2.3.16-0.16.1, rubygem-activesupport-2.3.16-0.6.1, rubygem-activesupport-2_3-2.3.16-0.16.1, rubygem-rack-1.1.5-0.8.1, rubygem-rails-2.3.16-0.6.1, rubygem-rails-2_3-2.3.16-0.12.1
Comment 8 Bernhard Wiedemann 2013-02-13 07:00:16 UTC
This is an autogenerated message for OBS integration:
This bug (797449) was mentioned in
https://build.opensuse.org/request/show/155282 Evergreen:11.2 / rubygem-actionpack-2_3
https://build.opensuse.org/request/show/155284 Evergreen:11.2 / rubygem-activerecord-2_3
https://build.opensuse.org/request/show/155286 Evergreen:11.2 / rubygem-activeresource-2_3
https://build.opensuse.org/request/show/155288 Evergreen:11.2 / rubygem-activesupport-2_3
https://build.opensuse.org/request/show/155291 Evergreen:11.2 / rubygem-rails-2_3
Comment 9 Swamp Workflow Management 2013-03-19 13:13:47 UTC
Update released for: rubygem-actionmailer-2_3, rubygem-actionpack-2_3, rubygem-activerecord-2_3, rubygem-activeresource-2_3, rubygem-activesupport-2_3, rubygem-rails, rubygem-rails-2_3
Products:
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SUSE-CLOUD 1.0 (x86_64)
Comment 10 Swamp Workflow Management 2013-04-03 14:49:24 UTC
Update released for: rubygem-actionmailer-2_3, rubygem-actionpack-2_3, rubygem-activerecord-2_3, rubygem-activeresource-2_3, rubygem-activesupport-2_3, rubygem-rails, rubygem-rails-2_3
Products:
SLE-SLMS 1.2 (x86_64)
SLE-STUDIOONSITE 1.2 (x86_64)
SLE-STUDIOONSITERUNNER 1.2 (s390x)
SLE-WEBYAST 1.2 (i386, ia64, ppc64, s390x, x86_64)
Comment 11 Marcus Meissner 2013-06-14 06:58:10 UTC
reelased