Bug 734310 (CVE-2011-3187)

Summary: CVE-2011-3187 rubygem-actionpack: does not validate X-Forwarded-For header in requests from class C networks
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mastahnke, mmorsi, sseago, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-30 23:59:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 745570    
Bug Blocks: 732542    

Description Vincent Danen 2011-08-30 04:34:01 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3187 to
the following vulnerability:

Name: CVE-2011-3187
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187
Assigned: 20110819
Reference: FULLDISC:20110216 Ruby on Rails Vulnerability
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html
Reference: http://www.openwall.com/lists/oss-security/2011/08/17/1
Reference: http://www.openwall.com/lists/oss-security/2011/08/19/11
Reference: http://www.openwall.com/lists/oss-security/2011/08/20/1
Reference: http://www.openwall.com/lists/oss-security/2011/08/22/14
Reference: http://www.openwall.com/lists/oss-security/2011/08/22/13
Reference: http://www.openwall.com/lists/oss-security/2011/08/22/5
Reference: http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html
Reference: https://bugzilla.novell.com/show_bug.cgi?id=673010

The to_s method in
actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on
Rails 3.0.5 does not validate the X-Forwarded-For header in requests
from IP addresses on a Class C network, which might allow remote
attackers to inject arbitrary text into log files or bypass intended
address parsing via a crafted header.
Comment 1 Vincent Danen 2011-08-30 04:35:23 UTC 
I've asked upstream whether or not they are aware of this flaw, and whether or not it has been fixed and/or if they have further details.
Comment 2 Vincent Danen 2011-08-30 23:58:52 UTC 
Upstream replied as follows:


We've seen this one reported a few times, it's just not a security issue from
our perspective.

The value in question is user-provided, just like request.content_type or
request.user_agent, and isn't documented as being safe to use unescaped in
shell scripts.  All of the query generation and javascript generating stuff
will escape that value (just like any other one that's user provided). We've
heard of no apps being compromised, seen no attack vectors that exploit this in
a way we hadn't considered.

We're just tracking it as a bug rather than a security bug.


In light of the above, I am going to close this as NOTABUG; future Fedora releases will obtain the fix when upstream fixes this as a bug.