Bug 1827500 (CVE-2020-10663)
| Summary: | CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, akarol, amackenz, amasferr, ataylor, bkearney, cfeist, chazlett, clalancette, cluster-maint, dmetzger, drieden, extras-orphan, ganandan, ggaughan, gmalinko, gmccullo, gtanzill, gvarsami, hhorak, hvyas, idevat, janstey, jaruga, jcoleman, jfrey, jhardy, jochrist, jorton, jwon, kconner, ldimaggi, lef, lxtnow, mkudlej, mlisik, mo, mpospisi, msrb, mtasaka, nwallace, obarenbo, omular, puebele, pvalena, roliveri, rschiron, ruby-maint, ruby-packagers-sig, rwagner, simaishi, smallamp, s, strzibny, tcunning, tjochec, tkirby, tojeline, vanmeeuwen+fedora, vbellur, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-json 2.3.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-10 11:20:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1827501, 1827502, 1827503, 1827504, 1827505, 1827506, 1827664, 1828192, 1831094, 1831095, 1831096, 1831097, 1831098, 1831099, 1838853, 1840152, 1840153, 1840154, 1842762, 1954952, 1955054, 1957120, 2055226, 2055236 | ||
| Bug Blocks: | 1827508 | ||
|
Description
Pedro Sampaio
2020-04-24 04:18:35 UTC
Created jruby tracking bugs for this issue: Affects: fedora-all [bug 1827506] Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1827505] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-all [bug 1827503] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 1827504] Created rubygem-json tracking bugs for this issue: Affects: epel-6 [bug 1827502] Affects: fedora-all [bug 1827501] https://hackerone.com/reports/706934 https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 Statement: Red Hat CloudForms 5 uses vulnerable rubygem-json, however, is not vulnerable in Ruby since it does not use version which includes JSON into stdlib. This issue affects the version of JSON(embedded in pcs) as shipped with Red Hat Gluster Storage 3. However, the vulnerable method calls are currently not used by the product and hence this issue has been rated as having a security impact of Low. External References: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663 Mitigation: To mitigate this vulnerability, do not supply untrusted user input and/or untrusted strings to the following method calls or utilize code libraries which do so: ``` JSON(user_input) JSON[user_input, nil] JSON.parse(user_input, nil) JSON::Parser.new(user_input).parse ``` Also note that JSON.load() should never be given input from unknown sources. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2473 https://access.redhat.com/errata/RHSA-2020:2473 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10663 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2462 https://access.redhat.com/errata/RHSA-2020:2462 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2670 https://access.redhat.com/errata/RHSA-2020:2670 (In reply to Mamoru TASAKA from comment #5) > https://hackerone.com/reports/706934 > https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ > Affected versions > JSON gem 2.2.0 or prior Note that the CVE-2020-10663 can also be fixed by upgrading Ruby to 2.7.1, 2.6.6 or 2.5.8. https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/ This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582 |