Bug 1301933 (CVE-2015-7576)
Summary: | CVE-2015-7576 rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | apatters, bgollahe, bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dmcphers, gblomqui, gmccullo, gtanzill, jfrey, jhardy, jialiu, joelsmith, jokerman, jorton, jprause, jrusnack, kanderso, katello-bugs, kseifried, lmeyer, mastahnke, mmaslano, mmccomas, mmorsi, mtasaka, obarenbo, osoukup, pvalena, roliveri, sseago, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch, xlecauch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-rails 5.0.0.beta1.1, rubygem-rails 4.2.5.1, rubygem-rails 4.1.14.1, rubygem-rails 3.2.22.1 | Doc Type: | Bug Fix |
Doc Text: |
A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-15 21:21:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1301934, 1301935, 1301995, 1301996, 1301997, 1301998, 1301999, 1306275, 1306276, 1306277, 1306278, 1306279, 1306281 | ||
Bug Blocks: | 1302006 |
Description
Adam Mariš
2016-01-26 12:09:30 UTC
Created rubygem-activesupport tracking bugs for this issue: Affects: fedora-all [bug 1301999] Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1301996] Upstream commit: 3.2 https://github.com/rails/rails/commit/a6fa3960c3a149e83eb2ff057be4472a82958e3d 4.1 https://github.com/rails/rails/commit/859ca4474e1608b83d61941724574aba491be7f1 4.2 https://github.com/rails/rails/commit/036bbda9eb3b3885223d53646777733a1547d89a Mitigation: Use following code to monkey-patch http_basic_authenticate_with method in ActionController: ~~~ module ActiveSupport module SecurityUtils def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end module_function :secure_compare def variable_size_secure_compare(a, b) secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) end module_function :variable_size_secure_compare end end module ActionController class Base def self.http_basic_authenticate_with(options = {}) before_action(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| # This comparison uses & so that it doesn't short circuit and # uses `variable_size_secure_compare` so that length information # isn't leaked. ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end end end ~~~ This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:0296 https://rhn.redhat.com/errata/RHSA-2016-0296.html rubygem-actionpack-4.2.0-3.fc22, rubygem-activemodel-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activesupport-4.2.0-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. rubygem-activesupport-4.2.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. rubygem-actionpack-4.2.3-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0455 https://rhn.redhat.com/errata/RHSA-2016-0455.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html |