Bug 2025104 (CVE-2021-41817)

Summary: CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, hhorak, jaruga, joe, jorton, jprokop, jwong, kaycoth, kyoshida, mo, mtasaka, pvalena, ruby-maint, ruby-packagers-sig, s, strzibny, vanmeeuwen+fedora, vmugicag, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ruby-date 3.2.1, ruby-date 3.1.2, ruby-date 3.0.2, ruby-date 2.0.1, ruby 3.0.3, ruby 2.7.5, ruby 2.6.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service (ReDoS) during the parsing of dates. This flaw allows an attacker to hang a ruby application by providing a specially crafted date string. The highest threat to this vulnerability is system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-03 01:49:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2025503, 2026669, 2026670, 2026671, 2026672, 2026673, 2027703, 2027704, 2027705, 2027706, 2027707, 2027708, 2027709, 2027710, 2037995, 2053046, 2053047, 2053048, 2053049, 2057448, 2100522, 2109427, 2123021, 2128627, 2128635    
Bug Blocks: 2025105    

Description Pedro Sampaio 2021-11-19 21:05:10 UTC 
Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

References:

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/date/CVE-2021-41817.yml
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
Comment 2 Pedro Sampaio 2021-11-25 13:22:56 UTC 
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026671]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 2026673]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026669]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026670]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 2026672]
Comment 3 Cedric Buissart 2021-11-30 09:00:07 UTC 
Upstream fix in date v3.2.1 :
https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0

Additional fixes to mimic previous behavior :
https://github.com/ruby/date/commit/8f2d7a0c7e52cea8333824bd527822e5449ed83d
https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664
Comment 7 errata-xmlrpc 2022-02-16 11:34:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
Comment 8 errata-xmlrpc 2022-02-16 11:35:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
Comment 9 errata-xmlrpc 2022-02-21 10:11:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
Comment 10 errata-xmlrpc 2022-02-21 10:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
Comment 11 errata-xmlrpc 2022-02-28 18:56:55 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708
Comment 12 Product Security DevOps Team 2022-03-03 01:49:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41817
Comment 15 errata-xmlrpc 2022-08-01 12:10:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5779 https://access.redhat.com/errata/RHSA-2022:5779
Comment 16 errata-xmlrpc 2022-09-13 09:43:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6447 https://access.redhat.com/errata/RHSA-2022:6447
Comment 17 errata-xmlrpc 2022-09-13 09:45:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6450 https://access.redhat.com/errata/RHSA-2022:6450
Comment 18 errata-xmlrpc 2022-10-11 07:31:18 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6855 https://access.redhat.com/errata/RHSA-2022:6855
Comment 19 errata-xmlrpc 2022-10-11 07:32:40 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6856 https://access.redhat.com/errata/RHSA-2022:6856