Bug 909029 (CVE-2013-0269)

Summary: CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aneelica, bbuckingham, bcourt, bhu, bkabrda, bkearney, bleanhar, btotty, ccoleman, clalancette, cpelland, dajohnso, djorm, dmcphers, esammons, hhudgeon, iboverma, jbpapp-maint, jeckersb, jeremy, jialiu, jlieskov, jneedle, jomara, jross, jstribny, katello-bugs, katello-internal, kyoshida, lmeyer, lxtnow, lzap, mastahnke, matt, mcressma, mfojtik, mgoldman, mjc, mmccune, mmorsi, morazi, mrg-program-list, msuchy, mtasaka, nmoumoul, nwallace, rchan, rcvalle, rjerrido, sclewis, sebastien.olivier, security-response-team, soa-p-jira, sokeeffe, tagoh, tcunning, tdawson, tkramer, vanmeeuwen+fedora, vondruch, weli, williams, yjog, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-03 04:56:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 909031, 909033, 909035, 909036, 910313, 910314, 910315, 974094, 978171, 995670    
Bug Blocks: 910299, 925673, 958335, 978151, 980652, 981152    
Attachments:
Description Flags
rubygem-json-1-5-CVE-2013-0269.patch
none
rubygem-json-1-6-CVE-2013-0269.patch
none
rubygem-json-1-7-CVE-2013-0269.patch
none
Updated patch for 1.7 version none

Description Kurt Seifried 2013-02-08 05:19:00 UTC
Aaron Patterson of Ruby on Rails project reports:


Denial of Service and Unsafe Object Creation Vulnerability in JSON

There is a denial of service and unsafe object creation vulnerability in the 
json gem. This vulnerability has been assigned the CVE identifier 
CVE-2013-0269.

Versions Affected:  All. This includes JSON that ships with Ruby 1.9.X-pXXX
Not affected:       NONE
Fixed Versions:     1.7.7, 1.6.8, 1.5.5

Impact 
------ 
When parsing certain JSON documents, the JSON gem can be coerced in to 
creating Ruby symbols in a target system.  Since Ruby symbols are not garbage 
collected, this can result in a denial of service attack.

The same technique can be used to create objects in a target system that act 
like internal objects.  These "act alike" objects can be used to bypass 
certain security mechanisms and can be used as a spring board for SQL injection
attacks in Ruby on Rails.

Impacted code looks like this:

    JSON.parse(user_input)

Where the `user_input` variable will have a JSON document like this:

    {"json_class":"foo"}

The JSON gem will attempt to look up the constant "foo".  Looking up this 
constant will create a symbol.

In JSON version 1.7.x, objects with arbitrary attributes can be created using 
JSON documents like this:

    {"json_class":"JSON::GenericObject","foo":"bar"}

This document will result in an instance of JSON::GenericObject, with the 
attribute "foo" that has the value "bar".  Instantiating these objects will 
result in arbitrary symbol creation and in some cases can be used to bypass 
security measures.

PLEASE NOTE: this behavior *does not change* when using `JSON.load`.  
`JSON.load` should *never* be given input from unknown sources.  If you are 
processing JSON from an unknown source, *always* use `JSON.parse`.

All users running an affected release should either upgrade or use one of the 
work arounds immediately. 

Releases 
-------- 
The FIXED releases are available at the normal locations.

Workarounds 
----------- 
For users that cannot upgrade, please use the attached patches.  If you cannot 
use the attached patches, change your code from this:

    JSON.parse(json)

To this:

    JSON.parse(json, :create_additions => false)

If you cannot change the usage of `JSON.parse` (for example you're using a gem 
which depends on `JSON.parse` like multi_json), then apply this monkey patch:

    module JSON
      class << self
        alias :old_parse :parse
        def parse(json, args = {})
          args[:create_additions] = false
          old_parse(json, args)
        end
      end
    end

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches 
for the three supported release series.  They are in git-am format and consist 
of a single changeset. 

* 1-7-VULN.patch - Patch for the 1.7 series
* 1-6-VULN.patch - Patch for the 1.6 series
* 1-5-VULN.patch - Patch for the 1.5 series

Credits 
-------
* Thomas Hollstegge of Zweitag (www.zweitag.de)
* Ben Murphy

Comment 1 Kurt Seifried 2013-02-08 05:20:35 UTC
Created attachment 694933 [details]
rubygem-json-1-5-CVE-2013-0269.patch

Comment 2 Kurt Seifried 2013-02-08 05:20:56 UTC
Created attachment 694934 [details]
rubygem-json-1-6-CVE-2013-0269.patch

Comment 3 Kurt Seifried 2013-02-08 05:21:16 UTC
Created attachment 694936 [details]
rubygem-json-1-7-CVE-2013-0269.patch

Comment 12 Tomas Hoger 2013-02-12 10:03:28 UTC
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 910314]

Comment 13 Tomas Hoger 2013-02-12 10:03:33 UTC
Created rubygem-json tracking bugs for this issue

Affects: fedora-all [bug 910313]
Affects: epel-all [bug 910315]

Comment 14 Jan Lieskovsky 2013-02-12 10:16:30 UTC
Created attachment 696457 [details]
Updated patch for 1.7 version

Updated patch for 1.7 version from:
  [1] http://www.openwall.com/lists/oss-security/2013/02/11/8

From [1]:
Hi,

I've attached an updated patch for the JSON gem.  This patch is for the
1.7.x series.  The difference in this patch is changing the version
number.

-- 
Aaron Patterson
http://tenderlovemaking.com/

Comment 18 Vincent Danen 2013-02-22 15:27:33 UTC
External References:

http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/

Comment 19 errata-xmlrpc 2013-03-26 19:17:59 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html

Comment 20 Murray McAllister 2013-03-27 10:13:16 UTC
Acknowledgements:

Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the original reporters.

Comment 22 errata-xmlrpc 2013-04-02 20:07:10 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0701 https://rhn.redhat.com/errata/RHSA-2013-0701.html

Comment 27 errata-xmlrpc 2013-07-09 17:37:14 UTC
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2013:1028 https://rhn.redhat.com/errata/RHSA-2013-1028.html

Comment 28 Kurt Seifried 2013-07-26 06:21:42 UTC
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.

Comment 29 errata-xmlrpc 2013-08-08 17:08:54 UTC
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html

Comment 31 errata-xmlrpc 2013-08-29 23:28:40 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.0.0

Via RHSA-2013:1185 https://rhn.redhat.com/errata/RHSA-2013-1185.html

Comment 32 sebastien.olivier 2020-05-29 15:52:03 UTC
An affected package (rubygem-json - version 1.4.6-2.el6) is still in use by Red Hat Satellite.  Can someone confirms if this vulnerability is affecting Red Hat Satellite?

Comment 36 Yadnyawalk Tale 2020-07-30 17:42:35 UTC
Satellite Srpms
~~~~~~~~~~~~~~~~

* Red Hat Satellite 6:  nil
* Red Hat Satellite Tools 6.5/6.6/6.7/6.8:  rubygem-json-1.4.6-2.el6 

Following repos has this srpm:

  [root@rhel6u9-3 ~]# yum repolist enabled
    rhel-6-server-rpms                                                  Red Hat Enterprise Linux 6 Server (RPMs)
    rhel-6-server-satellite-tools-6.6-rpms                              Red Hat Satellite Tools 6.6 (for RHEL 6 Server) (RPMs)
    rhel-6-server-satellite-tools-6.6-source-rpms                       Red Hat Satellite Tools 6.6 (for RHEL 6 Server) (Source RPMs)


Inspection
~~~~~~~~~~~

[1] Vulnerable files but code is absent:
	ext/json/ext/parser/parser.c
	ext/json/ext/parser/parser.rl

[2] Vulnerable code from lib:
	lib/json/add/core.rb
	lib/json/common.rb
	lib/json/pure/parser.rb

[3] Srpm 1.4.6-2 does not consist of this files:
	java/src/json/ext/Parser.java
	java/src/json/ext/Parser.rl

Please note in 1.4.z-stream we ship "java stuff" with separate package - v1.4.6-java
https://github.com/flori/json/releases/tag/v1.4.6-java

and srpm uses 1.4.6-2.el6 without java 
https://github.com/flori/json/releases/tag/v1.4.6


Analysis
~~~~~~~~~

[root@rhel6u9-3 ~]# cat /etc/redhat-release 
  Red Hat Enterprise Linux Server release 6.10 (Santiago)

[root@rhel6u9-3 ~]# yum list | grep rubygem-json
  rubygem-json.x86_64                 1.4.6-2.el6              @rhel-6-server-satellite-tools-6.6-rpms

[root@rhel6u9-3 ~]# uname -a
  Linux redacted.redhat.com 2.6.32-696.el6.x86_64 #1 SMP Tue Feb 21 00:53:17 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@rhel6u9-3 ~]# rvm use 2.0.0 --default
  Using /usr/local/rvm/gems/ruby-2.0.0-p648

[root@rhel6u9-3 ~]# ruby --version
  ruby 2.0.0p648 (2015-12-16 revision 53162) [x86_64-linux]

[root@rhel6u9-3 ~]# irb 
  2.0.0-p648 :001 > require 'json'
   => true 
  2.0.0-p648 :002 > JSON.parse "{\"json_class\":\"JSON::GenericObject\",\"foo\":\"bar\"}"
   => {"json_class"=>"JSON::GenericObject", "foo"=>"bar"}

rubygem-json should show following if we are vulnerable:

[root@rhel6u9-3 ~]# irb 
  2.0.0-p648 :001 > require 'json'
   => true 
  2.0.0-p648 :002 > JSON.parse "{\"json_class\":\"JSON::GenericObject\",\"foo\":\"bar\"}"
   => #<JSON::GenericObject foo="bar">
  or 
   => ArgumentError: undefined class/module JSON::GenericObject


Conclusion
~~~~~~~~~~~
Red Hat Satellite uses gem rubygem-json-1.4.6 which is less than 1.5.5, however, from analysis and inspection[3] looks like product is not vulnerable to the flaw. FYI, CVE-2020-10663 is extension of CVE-2013-0269.

Since this gem is not supported from upstream now, we should update this to latest, raised regular bug for this: bug 1862203

Comment 38 Yadnyawalk Tale 2020-07-31 07:08:04 UTC
Added Red Hat Satellite 6 into the affect list and marked that notaffected. 
(This may take time to populate in table)

Comment 39 Yadnyawalk Tale 2020-07-31 07:12:49 UTC
Statement:

Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release.

Comment 40 sebastien.olivier 2020-07-31 11:57:18 UTC
(In reply to Yadnyawalk Tale from comment #39)
> Statement:
> 
> Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than
> affected 1.5.5 version however, this version of RubyGem is not affected to
> the flaw. We may update RubyGem in a future release.

Thank you all for the quick analysis, you're awesome!