Bug 1159927 (CVE-2014-8090)

Summary: CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bcourt, bkearney, carnil, cbillett, ccoleman, dajohnso, dmcphers, gmccullo, jialiu, jmatthew, joelsmith, jokerman, jorton, jprause, jvlcek, lmeyer, mmaslano, mmccomas, mmccune, mmcgrath, ohadlevy, rchan, security-response-team, tomckay, tsanders, vondruch, weli, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby 1.9.3p551, ruby 2.0.0p598, ruby 2.1.5, jruby 1.7.16.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:47:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1163993, 1163994, 1163998, 1164000, 1164004, 1164005, 1165367, 1542174, 1542175, 1542176, 1542177    
Bug Blocks: 1157711    
Attachments:
Description Flags
Upstream fix none

Description Tomas Hoger 2014-11-03 15:48:38 UTC 
The CVE-2014-8080 (tracked via bug 1157709) was assigned to a "billion laughs" issue affecting the Ruby REXML XML parser.  The issue affected expansion of parameter entities, making it possible for a small XML document to cause the parser to use excessive amount of CPU and memory while parsing.

The upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit.  As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time.  High memory usage can be achieved using larger inputs.

Note that similar issues were fixing in REXML in the past for general entities - see bug 460134 (CVE-2008-3790) or bug 914716 (CVE-2013-1821).

Acknowledgement:

This issue was discovered by Red Hat Product Security.
Comment 2 Tomas Hoger 2014-11-03 15:52:10 UTC 
Created attachment 953157 [details]
Upstream fix
Comment 4 Vincent Danen 2014-11-13 21:21:24 UTC 
External References:

https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
Comment 9 Tomas Hoger 2014-11-14 07:26:25 UTC 
Fixed upstream in 1.9.3p551, 2.0.0p598, and 2.1.5.

Upstream commit:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48402
Comment 11 Vincent Danen 2014-11-26 15:32:05 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/

Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 12 errata-xmlrpc 2014-11-26 16:09:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1911 https://rhn.redhat.com/errata/RHSA-2014-1911.html
Comment 13 errata-xmlrpc 2014-11-26 16:53:07 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2014:1914 https://rhn.redhat.com/errata/RHSA-2014-1914.html
Comment 14 errata-xmlrpc 2014-11-26 16:53:34 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2014:1913 https://rhn.redhat.com/errata/RHSA-2014-1913.html
Comment 15 errata-xmlrpc 2014-11-26 22:37:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1912 https://rhn.redhat.com/errata/RHSA-2014-1912.html
Comment 16 Tomas Hoger 2014-12-10 20:28:14 UTC 
JRuby was fixed upstream in 1.7.16.2:

http://jruby.org/2014/12/08/jruby-1-7-16-2.html
Comment 17 Kurt Seifried 2018-02-05 18:52:30 UTC 
Created jruby tracking bugs for this issue:

Affects: fedora-all [bug 1542174]


Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1542175]
Comment 19 Vít Ondruch 2018-02-06 08:43:21 UTC 
(In reply to Kurt Seifried from comment #17)
> Created ruby tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1542175]

Pardon me, but what is this? Does the problem reappeared in Ruby 2.5?