Bug 1534027 (CVE-2018-1000119)

Summary: CVE-2018-1000119 rack-protection: Timing attack in authenticity_token.rb
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anprice, apevec, bbuckingham, bcourt, bkearney, btotty, cfeist, chrisw, cluster-maint, extras-orphan, hhorak, hhudgeon, idevat, jaruga, jjoyce, jmatthew, jorton, jpokorny, jschluet, kbasil, lhh, lpeer, lzap, markmc, mburns, mmagr, mmccune, mrike, mrunge, nmoumoul, ohadlevy, omular, rbryant, rchan, rhel8-maint, rhos-maint, rjerrido, ruby-maint, sclewis, sisharma, slinaber, sokeeffe, srevivo, ssaha, tdecacqu, tojeline, tsanders, vbellur, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rack-protection 2.0.0.rc3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:37:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1534028, 1534029, 1554872, 1557252, 1557253, 1557634, 1557635, 1557636, 1557637, 1557638, 1557639, 1557640, 1558382, 1559343, 1559344, 1559345, 1866282    
Bug Blocks: 1551974    

Description Laura Pardo 2018-01-12 20:49:16 UTC 
A flaw was found in rack-protection. Versions prior to 2.0.0.rc3 of the package are vulnerable to Timing Attack due to time-variable comparison of signatures. A malicious user can guess a valid signature one char at a time by considering the time it takes a signature validation to fail.

References:
https://snyk.io/vuln/SNYK-RUBY-SINATRA-20470
https://snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395

Patch:
https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
Comment 1 Laura Pardo 2018-01-12 20:50:24 UTC 
Created rubygem-rack-protection tracking bugs for this issue:

Affects: epel-7 [bug 1534028]
Affects: fedora-26 [bug 1534029]
Comment 6 Adam Mariš 2018-03-13 13:42:41 UTC 
Created pcs tracking bugs for this issue:

Affects: openstack-rdo [bug 1554872]
Comment 18 errata-xmlrpc 2018-04-10 09:10:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1060 https://access.redhat.com/errata/RHSA-2018:1060
Comment 19 Andrej Nemec 2018-05-14 12:25:49 UTC 
Statement:

This issue affects the versions of rubygem-rack-protection as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.