Bug 831573 (CVE-2012-2695)

Summary: CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkabrda, bleanhar, ccoleman, hbrock, jeckersb, jrusnack, mastahnke, mmccune, mmcgrath, mmorsi, morazi, mtasaka, sseago, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-activerecord 3.2.6, rubygem-activerecord 3.1.6, rubygem-activerecord 3.0.14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-19 05:06:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 831582, 831583, 831728, 831801, 903994    
Bug Blocks: 767033, 836071    
Attachments:
Description Flags
Proposed upstream patch against the v2.3 branch
none
Proposed upstream patch against the v3.0 branch
none
Proposed upstream patch against the v3.1 branch
none
Proposed upstream patch against the v3.2 branch none

Description Jan Lieskovsky 2012-06-13 10:55:10 UTC 
Originally, the CVE-2012-2661 identifier has been assigned to the following issue:

A security flaw was found in the way rubygem-activerecord, the ActiveRecord pattern for ORM, performed SQL query generation based on the content of params hash, when nested query paramaters were provided. If a Ruby on Rails application directly passed request params to the 'where' method of an ActiveRecord class, a remote attacker could use this flaw to cause the 'params[:id]' to return a specially-crafted hash, resulting into the WHERE clause of the SQL statement to query an arbitrary table with value of attacker's choice, leading to disclosure of sensitive information. (bug 827363)

Recently (2012-06-12) it has been reported:
[1] https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59

that there still exists a variant of this attack, which is possible to exploit even when the upstream patch for the original CVE-2012-2661 issue has been applied. More from [1]:

--

Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.

All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again.

Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

    Post.where(:id => params[:id]).all

An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value. 

--

Proposed upstream patches (see attachments).
Comment 1 Jan Lieskovsky 2012-06-13 10:56:48 UTC 
Created attachment 591438 [details]
Proposed upstream patch against the v2.3 branch
Comment 2 Jan Lieskovsky 2012-06-13 10:57:47 UTC 
Created attachment 591439 [details]
Proposed upstream patch against the v3.0 branch
Comment 3 Jan Lieskovsky 2012-06-13 10:58:19 UTC 
Created attachment 591440 [details]
Proposed upstream patch against the v3.1 branch
Comment 4 Jan Lieskovsky 2012-06-13 10:58:53 UTC 
Created attachment 591441 [details]
Proposed upstream patch against the v3.2 branch
Comment 5 Jan Lieskovsky 2012-06-13 11:01:45 UTC 
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

--

This issue affects the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. Please schedule an update.
Comment 7 Jan Lieskovsky 2012-06-13 11:23:52 UTC 
Created rubygem-activerecord tracking bugs for this issue

Affects: fedora-all [bug 831582]
Affects: epel-5 [bug 831583]
Comment 11 Fedora Update System 2012-06-30 08:25:08 UTC 
rubygem-activerecord-3.0.10-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-06-30 08:27:19 UTC 
rubygem-activerecord-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2012-12-04 19:31:26 UTC 
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html
Comment 14 errata-xmlrpc 2013-01-10 20:42:13 UTC 
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
Comment 16 errata-xmlrpc 2013-02-28 19:07:39 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html