Bug 1827500 (CVE-2020-10663) - CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
Summary: CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10663
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1827501 1827502 1827503 1827504 1827505 1827506 1827664 1828192 1831094 1831095 1831096 1831097 1831098 1831099 1838853 1840152 1840153 1840154 1842762 1954952 1955054 1957120 2055226 2055236
Blocks: 1827508
TreeView+ depends on / blocked
 
Reported: 2020-04-24 04:18 UTC by Pedro Sampaio
Modified: 2022-02-21 10:12 UTC (History)
61 users (show)

Fixed In Version: rubygem-json 2.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.
Clone Of:
Environment:
Last Closed: 2020-06-10 11:20:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2462 0 None None None 2020-06-10 14:35:06 UTC
Red Hat Product Errata RHSA-2020:2473 0 None None None 2020-06-10 09:25:52 UTC
Red Hat Product Errata RHSA-2020:2670 0 None None None 2020-06-23 13:06:21 UTC
Red Hat Product Errata RHSA-2021:2587 0 None None None 2021-06-29 16:03:33 UTC
Red Hat Product Errata RHSA-2021:2588 0 None None None 2021-06-29 16:04:23 UTC
Red Hat Product Errata RHSA-2022:0581 0 None None None 2022-02-21 10:11:11 UTC
Red Hat Product Errata RHSA-2022:0582 0 None None None 2022-02-21 10:12:08 UTC

Description Pedro Sampaio 2020-04-24 04:18:35 UTC 
In rubygem-json before 2.3.0 there is an unsafe object creation vulnerability. When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269.

References:

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Comment 1 Pedro Sampaio 2020-04-24 04:20:05 UTC 
Created jruby tracking bugs for this issue:

Affects: fedora-all [bug 1827506]


Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1827505]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1827503]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1827504]


Created rubygem-json tracking bugs for this issue:

Affects: epel-6 [bug 1827502]
Affects: fedora-all [bug 1827501]
Comment 5 Mamoru TASAKA 2020-04-24 15:09:15 UTC 
https://hackerone.com/reports/706934
https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01
Comment 15 Hardik Vyas 2020-06-02 04:23:50 UTC 
Statement:

Red Hat CloudForms 5 uses vulnerable rubygem-json, however, is not vulnerable in Ruby since it does not use version which includes JSON into stdlib.

This issue affects the version of JSON(embedded in pcs) as shipped with Red Hat Gluster Storage 3. However, the vulnerable method calls are currently not used by the product and hence this issue has been rated as having a security impact of Low.
Comment 16 Hardik Vyas 2020-06-02 04:23:54 UTC 
External References:

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663
Comment 17 Hardik Vyas 2020-06-02 04:23:58 UTC 
Mitigation:

To mitigate this vulnerability, do not supply untrusted user input and/or untrusted strings to the following method calls or utilize code libraries which do so:

```
JSON(user_input)
JSON[user_input, nil]
JSON.parse(user_input, nil)
JSON::Parser.new(user_input).parse
```

Also note that JSON.load() should never be given input from unknown sources.
Comment 18 errata-xmlrpc 2020-06-10 09:25:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2473 https://access.redhat.com/errata/RHSA-2020:2473
Comment 19 Product Security DevOps Team 2020-06-10 11:20:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10663
Comment 20 errata-xmlrpc 2020-06-10 14:35:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2462 https://access.redhat.com/errata/RHSA-2020:2462
Comment 21 errata-xmlrpc 2020-06-23 13:06:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2670 https://access.redhat.com/errata/RHSA-2020:2670
Comment 22 Jun Aruga 2020-08-06 08:42:54 UTC 
(In reply to Mamoru TASAKA from comment #5)
> https://hackerone.com/reports/706934
> https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
> Affected versions
>     JSON gem 2.2.0 or prior

Note that the CVE-2020-10663 can also be fixed by upgrading Ruby to 2.7.1, 2.6.6 or 2.5.8.

https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/
https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
Comment 23 errata-xmlrpc 2021-05-25 13:14:09 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
Comment 24 errata-xmlrpc 2021-06-03 11:25:54 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
Comment 25 errata-xmlrpc 2021-06-29 16:03:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
Comment 26 errata-xmlrpc 2021-06-29 16:04:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
Comment 28 errata-xmlrpc 2022-02-21 10:11:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
Comment 29 errata-xmlrpc 2022-02-21 10:12:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
Note You need to log in before you can comment on or make changes to this bug.