Bug 1789100 (CVE-2019-16782) - CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id
Summary: CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targetin...
Alias: CVE-2019-16782
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1789102 1797949 1797954 1797955 1825820 1825821 1789101 1789103 1790305 1790340 1790341 1790342 1790343 1790344 1790345 1790346 1790347 1790348 1793968 1797947 1797948 1797950 1797951 1797952 1797953 1804332
Blocks: 1789104
TreeView+ depends on / blocked
Reported: 2020-01-08 18:14 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-10-27 12:55 UTC (History)
49 users (show)

Fixed In Version: Rack 1.6.12, Rack 2.0.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-rack in versions prior to 1.6.12 and 2.0.8. An information leak may allow an attacker to find and hijack sessions using timing attacks targeting the session ID. The highest threat from the vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2020-06-10 17:20:27 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2480 None None None 2020-06-10 13:39:07 UTC
Red Hat Product Errata RHSA-2020:4366 None None None 2020-10-27 12:55:43 UTC

Description Guilherme de Almeida Suckevicz 2020-01-08 18:14:53 UTC
There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.


Upstream commit:

Comment 1 Guilherme de Almeida Suckevicz 2020-01-08 18:15:32 UTC
Created rubygem-rack tracking bugs for this issue:

Affects: epel-6 [bug 1789102]
Affects: epel-7 [bug 1789103]
Affects: fedora-all [bug 1789101]

Comment 2 Summer Long 2020-01-13 04:07:05 UTC

There is no mitigation for this issue, the flaw can only be resolved by applying updates.

Comment 12 Marco Benatto 2020-02-18 17:26:18 UTC
External References:


Comment 15 errata-xmlrpc 2020-06-10 13:39:05 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.11

Via RHSA-2020:2480 https://access.redhat.com/errata/RHSA-2020:2480

Comment 16 Product Security DevOps Team 2020-06-10 17:20:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 17 Eric Christensen 2020-08-24 16:09:33 UTC

Because Red Hat OpenStack Platform 13.0 Operational Tools packaged the flawed code, but does not use its functionality, its Impact has been reduced to 'Low'.

Comment 18 errata-xmlrpc 2020-10-27 12:55:40 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366

Note You need to log in before you can comment on or make changes to this bug.