Bug 1114425 (CVE-2014-3482)
| Summary: | CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, bdunne, bkabrda, bkearney, bleanhar, cbillett, ccoleman, chrisw, dajohnso, dallan, dclarizi, dmcphers, gkotton, gmccullo, gmollett, jdetiber, jfrey, jialiu, jkeck, jokerman, jorton, jprause, jrafanie, jrusnack, jstribny, jvlcek, katello-bugs, kseifried, lhh, lmeyer, markmc, mastahnke, mburns, mmaslano, mmccomas, mmcgrath, mmorsi, mpovolny, mtasaka, obarenbo, rbryant, rhos-maint, sclewis, security-response-team, sseago, tomckay, vanmeeuwen+fedora, vdanen, vondruch, xlecauch, yeylon | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | rubygem-activerecord 3.2.19, rubygem-activerecord 4.0.0 | Doc Type: | Bug Fix | ||||
| Doc Text: |
It was discovered that Active Record did not properly quote values of the bitstring type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-11-06 09:45:46 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1115332, 1115334, 1115628, 1115629, 1115775, 1115776, 1143801 | ||||||
| Bug Blocks: | 1114429 | ||||||
| Attachments: |
|
||||||
|
Description
Murray McAllister
2014-06-30 04:44:27 UTC
Created attachment 913247 [details]
patch from upstream
This is now public: https://groups.google.com/forum/#!topic/rubyonrails-security/wDxePLJGZdI Statement: This issue does not affect CloudForms 5 as it does not use the "bitstring" data type anywhere in the product. Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-19 [bug 1115775] Affects: epel-5 [bug 1115776] Upstream release announcement: http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/ Upstream 3.2.x commit: https://github.com/rails/rails/commit/1f2192e46d78ee0ba2b06373f2c24caf8440ff5b Fixed in ActiveRecord 3.2.19. 4.x versions were not affected according to upstream. IssueDescription: It was discovered that Active Record did not properly quote values of the bitstring type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record. This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:0876 https://rhn.redhat.com/errata/RHSA-2014-0876.html CFME doesn't use any bitstring fields in the database backend. But we should rebase activerecord at some point. SAM-1 doesn't use any bitstring fields in the database backend. But we should rebase activerecord at some point. |