Bug 1310054 (CVE-2016-2098)
| Summary: | CVE-2016-2098 rubygem-actionview, rubygem-actionpack: code injection vulnerability in Action View | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||
| Severity: | high | Docs Contact: | |||||||||||
| Priority: | high | ||||||||||||
| Version: | unspecified | CC: | apatters, bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dmcphers, gblomqui, gmccullo, gtanzill, jfrey, jhardy, jialiu, joelsmith, jokerman, jorton, jprause, jrusnack, kseifried, lmeyer, mmaslano, mmccomas, obarenbo, roliveri, security-response-team, tazz, tomckay, vondruch, xlecauch | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | rubygem-actionpack 3.2.22.2, rubygem-actionview 4.1.14.2, rubygem-actionview 4.2.5.2 | Doc Type: | Bug Fix | ||||||||||
| Doc Text: |
A code injection flaw was found in the way Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to execute arbitrary code.
|
Story Points: | --- | ||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2016-03-15 21:20:09 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | 1310233, 1310234, 1310235, 1310236, 1313387, 1313388, 1313389, 1315704, 1315705, 1316729 | ||||||||||||
| Bug Blocks: | 1310055 | ||||||||||||
| Attachments: |
|
||||||||||||
Acknowledgments: Name: the Ruby on Rails project Upstream: Tobias Kraze (makandra), joernchen (Phenoelit) Created attachment 1128508 [details]
Upstream patch
Created attachment 1131939 [details]
Upstream patch 3.2
Created attachment 1131942 [details]
Upstream patch 4.1
Created attachment 1131943 [details]
Upstream patch 4.2
Affected versions were changed, previous advisory listed these versions: Versions Affected: 3.2.x, 4.0.x Not affected: 4.1+ Fixed Versions: 3.2.22.2 External Reference: https://groups.google.com/forum/#!msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1313387] Created rubygem-actionpack tracking bugs for this issue: Affects: epel-5 [bug 1313389] Upstream commits: 3.2 https://github.com/rails/rails/commit/769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9 4.1 https://github.com/rails/rails/commit/fcf0f42494634861a648276ba7acab6b9b123257 4.2 https://github.com/rails/rails/commit/9e579ef9e239ee8ee76596bc541daf1182ba8b8d hackerone report, but it fails to provide any additional information not already included in the upstream announcement: https://hackerone.com/reports/113928 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:0456 https://rhn.redhat.com/errata/RHSA-2016-0456.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0455 https://rhn.redhat.com/errata/RHSA-2016-0455.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html rubygem-actionpack-4.2.3-5.fc23, rubygem-actionview-4.2.3-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. rubygem-actionpack-4.2.0-4.fc22, rubygem-actionview-4.2.0-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Code injection vulnerability in Action Pack was found, possibly leading to remote code execution. Applications that pass unverified user input to the `render` method in a controller may be vulnerable to a code injection. Impacted code will look like this: ```ruby class TestController < ApplicationController def show render params[:id] end end ``` Carefully crafted request parameters, can be used to coerce the above example to execute arbitrary ruby code. A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x Not affected: 5.0+ Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2