Bug 1935724 (CVE-2019-25025) - CVE-2019-25025 rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id
Summary: CVE-2019-25025 rubygem-activerecord-session_store: hijack sessions by using t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-25025
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936552 1936553
Blocks: 1935725
TreeView+ depends on / blocked
 
Reported: 2021-03-05 13:09 UTC by Michael Kaplan
Modified: 2021-12-14 18:47 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the activerecord-session_store (Active Record Session Store) component through version 1.1.3 for Ruby on Rails where it does not use a constant time approach when delivering information about whether a guessed session ID is valid. This flaw allows remote attackers to leverage timing discrepancies to achieve a correct guess in a relatively short amount of time.
Clone Of:
Environment:
Last Closed: 2021-11-13 15:51:36 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:02 UTC

Description Michael Kaplan 2021-03-05 13:09:16 UTC 
The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.
Comment 2 Yadnyawalk Tale 2021-03-08 17:53:46 UTC 
Proposed patch: https://github.com/rails/activerecord-session_store/pull/151 
(Not merged into activerecord-session_store yet).
Comment 4 Yadnyawalk Tale 2021-03-09 16:50:21 UTC 
External References:

https://github.com/advisories/GHSA-cvw2-xj8r-mjf7
Comment 9 Eric Helms 2021-04-28 13:10:42 UTC 
The upstream fix for this has been merged and released as part of activerecord-session_store version 2.0.0. I think this can move states now.
Comment 11 errata-xmlrpc 2021-11-16 14:08:00 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Note You need to log in before you can comment on or make changes to this bug.