Bug 1995940 (CVE-2021-22942)

Summary: CVE-2021-22942 rubygem-actionpack: possible open redirect in the Host Authorization middleware
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, btotty, dmetzger, ehelms, gmccullo, gtanzill, jaruga, jfrey, jhardy, jsherril, lzap, mhulan, mmccune, mo, myarboro, nmoumoul, obarenbo, orabin, pcreech, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, strzibny, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack 6.1.4.1,rubygem-actionpack 6.0.4.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-actionpack. Specially crafted “X-Forwarded-Host” headers, in combination with certain “allowed host” formats, can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-30 17:57:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1995941, 1999085    
Bug Blocks: 1995943    

Description Marian Rehak 2021-08-20 09:05:47 UTC 
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Reference:

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
Comment 1 Marian Rehak 2021-08-20 09:06:05 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1995941]
Comment 2 Yadnyawalk Tale 2021-08-30 10:05:22 UTC 
Upstream fix: 
6.0: https://github.com/rails/rails/commit/9fe57c0fc5561088a2df42e4438992591e9d917e
6.1: https://github.com/rails/rails/commit/5e9973d6e020b98a5ec71578aa1837efcf4d7b7e
Comment 3 Yadnyawalk Tale 2021-08-30 11:25:45 UTC 
Analysis
==========

Earlier, when `config.hosts` has domain name with leading dot (.) some function sanitize this domain name with wrong regex which was leading to redirection. CVE-2021-22881 fixed this by introducing new regex with addition of some auth checks. However, if `config.hosts` has domain name with case sensitivity (for example, .REDHAT.com) redirection was still possible; which is fixed by CVE-2021-22942.

I do see `config.hosts` in development env of upstream foreman but domain name anyway doesn't starts with leading dot (.) - which is required. Additionally, the production env do not have `config.hosts` so this looks safe. Same goes for downstream Satellite. Don't see upstream Katello using any of this.
https://github.com/theforeman/foreman/blob/develop/config/environments/development.rb#L63
Comment 4 Yadnyawalk Tale 2021-08-30 11:35:18 UTC 
CVSS explanation:
* AC:H - Assuming victim already have vulnerable configuration settings (i.e. config.hosts with case sensitivity)
* C:L and I:L - Information in the victim's browser associated with the vulnerable rails app can be read (and later modified) by the malicious attacker by directed it any destination the attacker wishes.
Comment 7 Product Security DevOps Team 2021-08-30 17:57:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22942