Bug 2099524 (CVE-2022-30123) - CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences
Summary: CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-30123
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2099525 2099562 2099563 2099578 2099903
Blocks: 2099521
TreeView+ depends on / blocked
 
Reported: 2022-06-21 07:44 UTC by Marian Rehak
Modified: 2025-03-01 00:12 UTC (History)
43 users (show)

Fixed In Version: rubygem-rack 2.0.9.1, rubygem-rack 2.1.4.1, rubygem-rack 2.2.3.1
Clone Of:
Environment:
Last Closed: 2023-03-28 03:48:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7343 0 None None None 2022-11-02 16:37:28 UTC
Red Hat Product Errata RHSA-2023:0632 0 None None None 2023-02-15 11:08:49 UTC
Red Hat Product Errata RHSA-2023:1486 0 None None None 2023-03-28 00:15:01 UTC

Description Marian Rehak 2022-06-21 07:44:42 UTC 
Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware.  These escape sequences can be leveraged to possibly execute commands in the victim's terminal.

Reference:

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml
Comment 1 Marian Rehak 2022-06-21 07:44:59 UTC 
Created rubygem-rack tracking bugs for this issue:

Affects: epel-all [bug 2099525]
Comment 3 Jun Aruga 2022-06-21 09:26:14 UTC 
> Fixed In Version: rubygem-rack 2.0.9.1, rubygem-rack 2.1.4.1, rubygem-rack 2.2.3.1

Seeing the rack gem, All the Fedoras (37, 36, 35), and EPEL 9, 8 are also affected. Not sure for the EPEL 7.
https://rubygems.org/gems/rack

https://src.fedoraproject.org/rpms/rubygem-rack
Fedora 37	rubygem-rack-2.2.3-8.fc37
Fedora 36	rubygem-rack-2.2.3-8.fc36	
Fedora 35	rubygem-rack-2.2.3-6.fc35
Fedora EPEL 9	rubygem-rack-2.2.3-8.el9	
Fedora EPEL 8	rubygem-rack-2.2.2-1.el8
Fedora EPEL 7	rubygem-rack-1.6.12-1.el7 => affected?
Comment 9 errata-xmlrpc 2022-11-02 16:37:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7343 https://access.redhat.com/errata/RHSA-2022:7343
Comment 10 Tommy Doucet 2022-12-14 17:24:15 UTC 
Hi,

An OpenStack customer is asking if this is going to make it somehow in RHOSP 13. 

Is this fix needed for OpenStack? 

What impact does this issue have in OpenStack if any?

Thank you!
Comment 11 Jun Aruga 2022-12-15 14:28:26 UTC 
(In reply to Jun Aruga from comment #3)
> > Fixed In Version: rubygem-rack 2.0.9.1, rubygem-rack 2.1.4.1, rubygem-rack 2.2.3.1
> 
> Seeing the rack gem, All the Fedoras (37, 36, 35), and EPEL 9, 8 are also
> affected. Not sure for the EPEL 7.
> https://rubygems.org/gems/rack
> 
> https://src.fedoraproject.org/rpms/rubygem-rack
> Fedora 37	rubygem-rack-2.2.3-8.fc37
> Fedora 36	rubygem-rack-2.2.3-8.fc36	
> Fedora 35	rubygem-rack-2.2.3-6.fc35
> Fedora EPEL 9	rubygem-rack-2.2.3-8.el9	
> Fedora EPEL 8	rubygem-rack-2.2.2-1.el8
> Fedora EPEL 7	rubygem-rack-1.6.12-1.el7 => affected?

Sorry my mistake. It seems that it was already fixed in the Fedoras and EPEL 9, by rubygem-rack 2.2.3.
Comment 15 errata-xmlrpc 2023-02-15 11:08:45 UTC 
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2023:0632 https://access.redhat.com/errata/RHSA-2023:0632
Comment 17 errata-xmlrpc 2023-03-28 00:14:57 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486
Comment 18 Product Security DevOps Team 2023-03-28 03:47:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30123
Note You need to log in before you can comment on or make changes to this bug.