Bug 1188207 - (CVE-2021-32740) VUL-0: CVE-2021-32740: rubygem-addressable: ReDoS in templates
(CVE-2021-32740)
VUL-0: CVE-2021-32740: rubygem-addressable: ReDoS in templates
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/303506/
CVSSv3.1:SUSE:CVE-2021-32740:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-12 10:03 UTC by Robert Frohl
Modified: 2021-09-06 14:03 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-07-12 10:03:07 UTC
rh#1979702

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Reference:
https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1979702
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32740
https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g
https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc
Comment 1 Robert Frohl 2021-07-12 10:04:28 UTC
tracking as affected:

- SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/rubygem-addressable
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rubygem-addressable
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rubygem-addressable

as well as openSUSE:Factory
Comment 2 Christian Almeida de Oliveira 2021-07-14 14:09:36 UTC
@robert please note that SOC 7 is out of support, thus this version of SOC will not get the fix. Please have this in mind for further CVE's impacting SOC products.
Comment 3 Dan Čermák 2021-08-03 12:39:14 UTC
(In reply to Robert Frohl from comment #1)

> as well as openSUSE:Factory

Factory already has 2.8.0 which is not vulnerable.
Comment 4 Robert Frohl 2021-08-03 13:01:56 UTC
(In reply to Christian Almeida de Oliveira from comment #2)
> @robert please note that SOC 7 is out of support, thus this version of SOC
> will not get the fix. Please have this in mind for further CVE's impacting
> SOC products.

I updated our tracking.

Flagging SOC7 as EOL is in the works, but has not been completed.
Comment 5 Jacek Tomasiak 2021-08-04 12:56:36 UTC
This commit looks like the actual fix from upstream: https://github.com/sporkmonger/addressable/commit/b48ff03347a6d46e8dc674e242ce74c6381962a5
Comment 7 Swamp Workflow Management 2021-09-02 16:21:32 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:2928-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188207
CVE References: CVE-2021-32740
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-addressable-2.3.6-3.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-09-02 16:23:49 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:2927-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188207
CVE References: CVE-2021-32740
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-addressable-2.3.6-4.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Christian Almeida de Oliveira 2021-09-06 14:03:35 UTC
Fixes for SOC 8 and SOC 9 are available. Back to Security team.