Bug 1980126 (CVE-2021-31810)
| Summary: | CVE-2021-31810 ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | andrelau, caswilli, hhorak, jaruga, joe, jorton, jprokop, kaycoth, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vmugicag, vondruch, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ruby 3.0.2, ruby 2.7.4, ruby 2.6.8, rubygem-net-ftp 0.1.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Ruby's Net::FTP module trusted the IP address included in the FTP server's response to the PASV command. A malicious FTP server could use this to make Ruby applications using the Net::FTP module to connect to arbitrary hosts and use this to perform port scanning or information extraction from systems not accessible from the FTP server.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-05 19:07:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1980567, 1980568, 1980569, 1980570, 1980571, 1980822, 1980823, 1980824, 1980825, 1980826, 1980827, 1980828, 1986812, 1995174, 1996666, 2052643, 2052645, 2052646, 2052647, 2053195, 2057428 | ||
| Bug Blocks: | 1980129 | ||
|
Description
Pedro Sampaio
2021-07-07 20:53:27 UTC
This was fixed upstream in Ruby versions 3.0.2, 2.7.4, and 2.6.8: https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/ Upstream commit in Ruby: https://git.ruby-lang.org/ruby.git/commit/?id=bf4d05173c7cf04d8892e4b64508ecf7902717cd This commit makes Net::FTP ignore IP addresses used in PASV responses by default and use the same IP address that is used for the main connection. Newly added attribute use_pasv_ip can be used to re-enable the old behaviour and make Net::FTP connect to the IP specified by the FTP server in the PASV response. This may be required with certain FTP servers. Note that Ruby 3.1 will no longer include Net::FTP in its standard library, but will rather bundle net-ftp gem. A commit for this issue in the net-ftp repo is this: https://github.com/ruby/net-ftp/commit/5709ece67cf57a94655e34532f8a7899b28d496a Fixed in net-ftp 0.1.3. The commit in the net-ftp repo also references this hackerone report: https://hackerone.com/reports/1145454 It has not been made public yet, but it's likely to get disclosed in the near future. Note that this is the same issue as was recently fixed in curl as CVE-2020-8284 - bug 1902667. Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1980570] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 1980571] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980567] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980568] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980569] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31810 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0672 https://access.redhat.com/errata/RHSA-2022:0672 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708 |