Bug 1935724 (CVE-2019-25025)

Summary: CVE-2019-25025 rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, btotty, dmetzger, ehelms, gmccullo, gtanzill, hhudgeon, jhardy, lzap, mmccune, nmoumoul, pcreech, rchan, rjerrido, roliveri, simaishi, smallamp, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the activerecord-session_store (Active Record Session Store) component through version 1.1.3 for Ruby on Rails where it does not use a constant time approach when delivering information about whether a guessed session ID is valid. This flaw allows remote attackers to leverage timing discrepancies to achieve a correct guess in a relatively short amount of time.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-13 15:51:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1936552, 1936553    
Bug Blocks: 1935725    

Description Michael Kaplan 2021-03-05 13:09:16 UTC 
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.
Comment 2 Yadnyawalk Tale 2021-03-08 17:53:46 UTC 
Proposed patch: https://github.com/rails/activerecord-session_store/pull/151 
(Not merged into activerecord-session_store yet).
Comment 4 Yadnyawalk Tale 2021-03-09 16:50:21 UTC 
External References:

https://github.com/advisories/GHSA-cvw2-xj8r-mjf7
Comment 9 Eric Helms 2021-04-28 13:10:42 UTC 
The upstream fix for this has been merged and released as part of activerecord-session_store version 2.0.0. I think this can move states now.
Comment 11 errata-xmlrpc 2021-11-16 14:08:00 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702