Bug 827363 (CVE-2012-2661) - CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query paramaters
Summary: CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested quer...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2661
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 827365 829510 829511
Blocks: 767033 836071
TreeView+ depends on / blocked
 
Reported: 2012-06-01 08:41 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:53 UTC (History)
14 users (show)

Fixed In Version: rubygem-actionpack 3.0.13, rubygem-actionpack 3.1.5, rubygem-actionpack 3.2.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 15:23:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1542 0 normal SHIPPED_LIVE Moderate: CloudForms Commons 1.1 security update 2012-12-05 00:29:06 UTC
Red Hat Product Errata RHSA-2013:0154 0 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 01:38:55 UTC
Red Hat Product Errata RHSA-2013:0582 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 1.1.1 update 2013-03-01 00:05:18 UTC

Description Jan Lieskovsky 2012-06-01 08:41:58 UTC
A security flaw was found in the way rubygem-activerecord, the ActiveRecord pattern for ORM, performed SQL query generation based on the content of params hash, when nested query paramaters were provided. If a Ruby on Rails application directly passed request params to the 'where' method of an ActiveRecord class, a remote attacker could use this flaw to cause the 'params[:id]' to return a specially-crafted hash, resulting into the WHERE clause of the SQL statement to query an arbitrary table with value of attacker's choice, leading to disclosure of sensitive information.

Upstream advisory announcement:
[1] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/7546a238e1962f59

Relevant patches:
[2] http://groups.google.com/group/rubyonrails-security/attach/fc2da6c627fc92df/3-0-params_sql_injection.patch?part=3
    (against v3.0 branch)
[3] http://groups.google.com/group/rubyonrails-security/attach/fc2da6c627fc92df/3-1-params_sql_injection.patch?part=4
    (against v3.1 branch)
[4] http://groups.google.com/group/rubyonrails-security/attach/fc2da6c627fc92df/3-2-params_sql_injection.patch?part=5
    (against v3.2 branch)

Comment 1 Jan Lieskovsky 2012-06-01 08:46:46 UTC
Further details from upstream advisory [1], how to verify presence of the flaw:
===============================================================================

Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.

Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

    Post.where(:id => params[:id]).all

An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

Comment 2 Jan Lieskovsky 2012-06-01 08:48:32 UTC
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15 and 16. Please schedule an update.

--

This issue did NOT affect the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. The affected functionality is not present in that version (yet).

Comment 3 Jan Lieskovsky 2012-06-01 08:49:46 UTC
Created rubygem-activerecord tracking bugs for this issue

Affects: fedora-all [bug 827365]

Comment 7 Fedora Update System 2012-06-15 12:30:54 UTC
rubygem-activerecord-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-06-15 12:31:31 UTC
rubygem-activerecord-3.0.5-3.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2012-06-15 12:32:26 UTC
rubygem-activerecord-3.0.11-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 errata-xmlrpc 2012-12-04 19:31:18 UTC
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html

Comment 11 errata-xmlrpc 2013-01-10 20:42:08 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html

Comment 12 errata-xmlrpc 2013-02-28 19:07:35 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html


Note You need to log in before you can comment on or make changes to this bug.