Bug 2063149 (CVE-2022-23633)

Summary: CVE-2022-23633 rubygem-actionpack: information leak between requests
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, btotty, ehelms, jaruga, jsherril, lzap, mhulan, mmccune, mo, myarboro, nmoumoul, orabin, pcreech, pvalena, rchan, ruby-packagers-sig, sseago, strzibny, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rails 7.0.2.1, rails 6.1.4.5, rails 6.0.4.5, rails 5.2.6.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Rack middleware package of RubyGems, where response bodies will not close under certain circumstances. This flaw allows an attacker to iterate requests to force ActionDispatch::Executor to not close, allowing subsequent requests to leak data from ActiveSupport::CurrentAttributes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 22:11:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063150, 2066666    
Bug Blocks: 2063151    

Description Marian Rehak 2022-03-11 11:34:06 UTC 
In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.

Reference:

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
Comment 1 Marian Rehak 2022-03-11 11:34:26 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 2063150]
Comment 3 errata-xmlrpc 2022-07-05 14:27:42 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
Comment 4 Product Security DevOps Team 2022-07-05 22:11:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23633