Bug 831573 - (CVE-2012-2695) CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)
CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested quer...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120612,reported=2...
: Security
Depends On: 831582 831583 831728 831801 903994
Blocks: 767033 836071
  Show dependency treegraph
 
Reported: 2012-06-13 06:55 EDT by Jan Lieskovsky
Modified: 2015-07-31 02:52 EDT (History)
15 users (show)

See Also:
Fixed In Version: rubygem-activerecord 3.2.6, rubygem-activerecord 3.1.6, rubygem-activerecord 3.0.14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-19 01:06:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch against the v2.3 branch (3.19 KB, patch)
2012-06-13 06:56 EDT, Jan Lieskovsky
no flags Details | Diff
Proposed upstream patch against the v3.0 branch (2.33 KB, patch)
2012-06-13 06:57 EDT, Jan Lieskovsky
no flags Details | Diff
Proposed upstream patch against the v3.1 branch (2.34 KB, patch)
2012-06-13 06:58 EDT, Jan Lieskovsky
no flags Details | Diff
Proposed upstream patch against the v3.2 branch (2.34 KB, patch)
2012-06-13 06:58 EDT, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-06-13 06:55:10 EDT
Originally, the CVE-2012-2661 identifier has been assigned to the following issue:

A security flaw was found in the way rubygem-activerecord, the ActiveRecord pattern for ORM, performed SQL query generation based on the content of params hash, when nested query paramaters were provided. If a Ruby on Rails application directly passed request params to the 'where' method of an ActiveRecord class, a remote attacker could use this flaw to cause the 'params[:id]' to return a specially-crafted hash, resulting into the WHERE clause of the SQL statement to query an arbitrary table with value of attacker's choice, leading to disclosure of sensitive information. (bug 827363)

Recently (2012-06-12) it has been reported:
[1] https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59

that there still exists a variant of this attack, which is possible to exploit even when the upstream patch for the original CVE-2012-2661 issue has been applied. More from [1]:

--

Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.

All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again.

Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

    Post.where(:id => params[:id]).all

An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value. 

--

Proposed upstream patches (see attachments).
Comment 1 Jan Lieskovsky 2012-06-13 06:56:48 EDT
Created attachment 591438 [details]
Proposed upstream patch against the v2.3 branch
Comment 2 Jan Lieskovsky 2012-06-13 06:57:47 EDT
Created attachment 591439 [details]
Proposed upstream patch against the v3.0 branch
Comment 3 Jan Lieskovsky 2012-06-13 06:58:19 EDT
Created attachment 591440 [details]
Proposed upstream patch against the v3.1 branch
Comment 4 Jan Lieskovsky 2012-06-13 06:58:53 EDT
Created attachment 591441 [details]
Proposed upstream patch against the v3.2 branch
Comment 5 Jan Lieskovsky 2012-06-13 07:01:45 EDT
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

--

This issue affects the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. Please schedule an update.
Comment 7 Jan Lieskovsky 2012-06-13 07:23:52 EDT
Created rubygem-activerecord tracking bugs for this issue

Affects: fedora-all [bug 831582]
Affects: epel-5 [bug 831583]
Comment 11 Fedora Update System 2012-06-30 04:25:08 EDT
rubygem-activerecord-3.0.10-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-06-30 04:27:19 EDT
rubygem-activerecord-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2012-12-04 14:31:26 EST
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html
Comment 14 errata-xmlrpc 2013-01-10 15:42:13 EST
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
Comment 16 errata-xmlrpc 2013-02-28 14:07:39 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html

Note You need to log in before you can comment on or make changes to this bug.