Bug 2322153 (CVE-2024-49761)
| Summary: | CVE-2024-49761 rexml: REXML ReDoS vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | akostadi, alex.wang, amasferr, anthomas, cbartlet, chazlett, crizzo, darunesh, dmayorov, drehak, ehelms, ggainey, jaruga, jlledo, jprokop, juwatts, kyoshida, mhulan, mmakovy, mpoole, mpospisi, nmoumoul, osousa, pcreech, prodsec-dev, rchan, sabhasin, smallamp, tjochec, tmalecek, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | Flags: | vondruch:
needinfo?
(darunesh) kyoshida: needinfo? (prodsec-dev) kyoshida: needinfo? (prodsec-dev) |
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the ReXML XML toolkit for Ruby. Parsing XML data containing a large number of digits between `&# `and `x...;` in a hex numeric character reference (`&#x...;`) can trigger a regular expression denial of service (ReDoS) condition, leading to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2024-10-28 15:01:18 UTC
The upstream Ruby's CVE page is below. https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/ And some other info in addition to the first comment. * Affect Ruby versions: Ruby 3.1 (and maybe older versions too). * Ruby 3.1 latest version 3.1.6's bundled rexml version is 3.2.5. Here is the upstream patch including the fix and test. https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f Confirming that Ruby 2.5.9 is not affected. The test from the patch passes in scratch builds (tested on the stream-ruby-2.5-rhel-8.8.0 branch): [ 2346/17497] REXMLTests::TestParseCharacterReference#test_gt_linear_performance_many_preceding_zeros = 0.00 s [ 2347/17497] REXMLTests::TestParseCharacterReference#test_hex_precedding_zero = 0.00 s (In reply to Dominik Rehák from comment #4) > Confirming that Ruby 2.5.9 is not affected. The test from the patch passes > in scratch builds (tested on the stream-ruby-2.5-rhel-8.8.0 branch): > > [ 2346/17497] > REXMLTests:: > TestParseCharacterReference#test_gt_linear_performance_many_preceding_zeros > = 0.00 s > [ 2347/17497] > REXMLTests::TestParseCharacterReference#test_hex_precedding_zero = 0.00 s In my investigation and testing, Ruby 2.5.9 is affected. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:10777 https://access.redhat.com/errata/RHSA-2024:10777 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:10834 https://access.redhat.com/errata/RHSA-2024:10834 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:10850 https://access.redhat.com/errata/RHSA-2024:10850 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:10858 https://access.redhat.com/errata/RHSA-2024:10858 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:10860 https://access.redhat.com/errata/RHSA-2024:10860 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:10961 https://access.redhat.com/errata/RHSA-2024:10961 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:10964 https://access.redhat.com/errata/RHSA-2024:10964 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:10966 https://access.redhat.com/errata/RHSA-2024:10966 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:10977 https://access.redhat.com/errata/RHSA-2024:10977 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:10982 https://access.redhat.com/errata/RHSA-2024:10982 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:10984 https://access.redhat.com/errata/RHSA-2024:10984 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:11001 https://access.redhat.com/errata/RHSA-2024:11001 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:11027 https://access.redhat.com/errata/RHSA-2024:11027 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:11028 https://access.redhat.com/errata/RHSA-2024:11028 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:11029 https://access.redhat.com/errata/RHSA-2024:11029 @Dhananjay could you please elaborate why the rating was changed? Is that intentional or was it by accident? This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:11047 https://access.redhat.com/errata/RHSA-2025:11047 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:12499 https://access.redhat.com/errata/RHSA-2025:12499 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:13307 https://access.redhat.com/errata/RHSA-2025:13307 This issue has been addressed in the following products: Red Hat Satellite 6.17 for RHEL 9 Via RHSA-2025:13269 https://access.redhat.com/errata/RHSA-2025:13269 This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2025:15124 https://access.redhat.com/errata/RHSA-2025:15124 This issue has been addressed in the following products: Satellite Client 6 for RHEL 8 Satellite Client 6 for RHEL 9 Via RHSA-2025:15371 https://access.redhat.com/errata/RHSA-2025:15371 |