Bug 831573 (CVE-2012-2695) - CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)
Summary: CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested quer...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2695
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 831582 831583 831728 831801 903994
Blocks: 767033 836071
TreeView+ depends on / blocked
 
Reported: 2012-06-13 10:55 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:53 UTC (History)
15 users (show)

Fixed In Version: rubygem-activerecord 3.2.6, rubygem-activerecord 3.1.6, rubygem-activerecord 3.0.14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-19 05:06:26 UTC
Embargoed:


Attachments (Terms of Use)
Proposed upstream patch against the v2.3 branch (3.19 KB, patch)
2012-06-13 10:56 UTC, Jan Lieskovsky
no flags Details | Diff
Proposed upstream patch against the v3.0 branch (2.33 KB, patch)
2012-06-13 10:57 UTC, Jan Lieskovsky
no flags Details | Diff
Proposed upstream patch against the v3.1 branch (2.34 KB, patch)
2012-06-13 10:58 UTC, Jan Lieskovsky
no flags Details | Diff
Proposed upstream patch against the v3.2 branch (2.34 KB, patch)
2012-06-13 10:58 UTC, Jan Lieskovsky
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1542 0 normal SHIPPED_LIVE Moderate: CloudForms Commons 1.1 security update 2012-12-05 00:29:06 UTC
Red Hat Product Errata RHSA-2013:0154 0 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 01:38:55 UTC
Red Hat Product Errata RHSA-2013:0582 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 1.1.1 update 2013-03-01 00:05:18 UTC

Description Jan Lieskovsky 2012-06-13 10:55:10 UTC
Originally, the CVE-2012-2661 identifier has been assigned to the following issue:

A security flaw was found in the way rubygem-activerecord, the ActiveRecord pattern for ORM, performed SQL query generation based on the content of params hash, when nested query paramaters were provided. If a Ruby on Rails application directly passed request params to the 'where' method of an ActiveRecord class, a remote attacker could use this flaw to cause the 'params[:id]' to return a specially-crafted hash, resulting into the WHERE clause of the SQL statement to query an arbitrary table with value of attacker's choice, leading to disclosure of sensitive information. (bug 827363)

Recently (2012-06-12) it has been reported:
[1] https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59

that there still exists a variant of this attack, which is possible to exploit even when the upstream patch for the original CVE-2012-2661 issue has been applied. More from [1]:

--

Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.

All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again.

Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

    Post.where(:id => params[:id]).all

An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value. 

--

Proposed upstream patches (see attachments).

Comment 1 Jan Lieskovsky 2012-06-13 10:56:48 UTC
Created attachment 591438 [details]
Proposed upstream patch against the v2.3 branch

Comment 2 Jan Lieskovsky 2012-06-13 10:57:47 UTC
Created attachment 591439 [details]
Proposed upstream patch against the v3.0 branch

Comment 3 Jan Lieskovsky 2012-06-13 10:58:19 UTC
Created attachment 591440 [details]
Proposed upstream patch against the v3.1 branch

Comment 4 Jan Lieskovsky 2012-06-13 10:58:53 UTC
Created attachment 591441 [details]
Proposed upstream patch against the v3.2 branch

Comment 5 Jan Lieskovsky 2012-06-13 11:01:45 UTC
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

--

This issue affects the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. Please schedule an update.

Comment 7 Jan Lieskovsky 2012-06-13 11:23:52 UTC
Created rubygem-activerecord tracking bugs for this issue

Affects: fedora-all [bug 831582]
Affects: epel-5 [bug 831583]

Comment 11 Fedora Update System 2012-06-30 08:25:08 UTC
rubygem-activerecord-3.0.10-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2012-06-30 08:27:19 UTC
rubygem-activerecord-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2012-12-04 19:31:26 UTC
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html

Comment 14 errata-xmlrpc 2013-01-10 20:42:13 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html

Comment 16 errata-xmlrpc 2013-02-28 19:07:39 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html


Note You need to log in before you can comment on or make changes to this bug.