Bug 1233327 (CVE-2015-3224)

Summary: CVE-2015-3224 rubygem-web-console: IP whitelist bypass in Web Console
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Web Console 2.1.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:41:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1233340    
Bug Blocks:    
Attachments:
Description Flags
2-1-ip-whitelist.patch none

Description Vasyl Kaigorodov 2015-06-18 16:02:05 UTC 
There is a remote code execution vulnerability in Web Console.
This vulnerability has been assigned the CVE identifier CVE-2015-3224.

Versions Affected:  All
Not affected:       Environments inaccessible from remote IPs, or without Web Console enabled
Fixed Versions:     2.1.3

Impact 
------ 
Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).

Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.

Workarounds 
----------- 
To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.

The patch against 2.1 series is attached.
Comment 1 Vasyl Kaigorodov 2015-06-18 16:04:46 UTC 
Created attachment 1040553 [details]
2-1-ip-whitelist.patch
Comment 2 Vasyl Kaigorodov 2015-06-18 16:23:11 UTC 
Created rubygem-web-console tracking bugs for this issue:

Affects: fedora-all [bug 1233340]
Comment 3 Fedora Update System 2015-06-30 00:01:20 UTC 
rubygem-web-console-2.1.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Product Security DevOps Team 2019-06-08 02:41:55 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.