Bugzilla – Bug 956281
VUL-0: CVE-2015-7519: rubygem-passenger: Passenger is not filtering environment like apache is doing
Last modified: 2016-04-27 19:47:40 UTC
Passenger is not filter Headers when exporting them to the environment like apache is doing it. In our setup this caused a grave security issue since it was possible
to inject a variable by using "_" instead of "-" . The ruby web application has no chance to distinguish between the variables.
We patched passenger to filter the export of the headers to environement analog to apache code. the fix can be found here:
based on passenger 5.0.28
Reported privately to email@example.com, receipt was acknowledged.
proposal on apache mailing list:
Btw, nginx has a "underscores_in_headers" option (where the default is off). So passanger under nginx is probably safe.
I guess that mod_passenger should also have such an option. Our patch currently doesn't implement that.
(Also note that the commit's claim "RFC 2616 says that header names must start with a letter, followed only by letters, numbers or hyphen" is bogus. Underscores are perfectly legal.)
Similar code is in since the first release (tag release-1.0.0) where this code is in ext/apache2/Hooks.cpp http2env() prior to re-factoring.
bugbot adjusting priority
sent to distros
CRD: 2015-12-07 11:00 UTC
CVE-2015-7519 was assigned to this issue.
Assign to SLE maintainer
Do you have a test code?
An update workflow for this issue was started.
This issue was rated as "moderate".
Please submit fixed packages until "Dec. 15, 2015".
When done, reassign the bug to "firstname.lastname@example.org".
Created attachment 657961 [details]
this tarball contains:
home/vagrant/test-CVE-2015-7519/ <- simple rack application
etc/apache2/vhosts.d/test-cve-2015-7519.conf <- virtual host for the above application
README <- instructions on how to use curl in order to test.
public at https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e
Created attachment 659536 [details]
see README on how to use the reproducer.
I am replacing the reproducer since the instruccions in the README were wrong. Sorry about that.
In order to reproduce it , you need to do
curl -H "X_username: test" http://localhost
With the original rpm , you should see this output
With the patched rpm:
note the test has been filtered.
What the patch does is to accept "-" or alphanums, but not "_" . Otherwise, "x_username" would overwrite HTTP_X_USERNAME header.
for apache < 2.4 you need to adjust the /etc/apache2/vhosts.d/test-cve-2015-7519.conf
See the comments in the same file.
Created attachment 659602 [details]
patch for version 3.0.14
SUSE-SU-2015:2337-1: An update that fixes one vulnerability is now available.
Category: security (important)
Bug References: 956281
CVE References: CVE-2015-7519
SUSE Linux Enterprise Module for Containers 12 (src): rubygem-passenger-5.0.18-6.1
fixed and released.
Releasing for SLE-SLMS_1.3, SLE-STUDIOONSITE_1.3, SLE-WEBYAST_1.3
SUSE-SU-2016:0042-1: An update that fixes three vulnerabilities is now available.
Category: security (moderate)
Bug References: 828005,919726,956281
CVE References: CVE-2013-2119,CVE-2013-4136,CVE-2015-7519
SUSE Webyast 1.3 (src): rubygem-passenger-3.0.14-0.14.1
SUSE Studio Onsite 1.3 (src): rubygem-passenger-3.0.14-0.14.1
SUSE Lifecycle Management Server 1.3 (src): rubygem-passenger-3.0.14-0.14.1