Bug 1689154 (CVE-2019-5420)

Summary: CVE-2019-5420 rubygem-rails: Weak secret token leading to possible code execution
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jaruga, jorton, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, sseago, s, strzibny, tdawson, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-rails 6.0.0.beta3, rubygem-rails 5.2.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:50:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1689155    
Bug Blocks: 1689156    

Description Andrej Nemec 2019-03-15 10:19:55 UTC 
With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

External References:

https://groups.google.com/d/msg/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ
Comment 1 Andrej Nemec 2019-03-15 10:20:47 UTC 
Created rubygem-rails tracking bugs for this issue:

Affects: fedora-all [bug 1689155]
Comment 2 Andrej Nemec 2019-03-15 10:32:15 UTC 
References:

https://seclists.org/oss-sec/2019/q1/176
Comment 4 Stefan Cornelius 2019-03-18 12:34:07 UTC 
Looks like this was introduced via https://github.com/rails/rails/commit/69f976b859cae7f9d050152103da018b7f5dda6d

The versions we ship do not contain this change yet and are not affected by this issue.
Comment 5 Stefan Cornelius 2019-03-18 12:34:09 UTC 
Statement:

This issue did not affect the versions of rh-ror42-rubygem-rails and rh-ror50-rubygem-rails as shipped with Red Hat Software Collections.
Comment 6 Jun Aruga 2019-03-20 15:02:04 UTC 
Note for affected versions.

> Versions Affected:  6.0.0.X, 5.2.X.
> Fixed Versions:     6.0.0.beta3, 5.2.2.1 
> https://groups.google.com/d/msg/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ