RHEL 6 : rubygem-activesupport in Subscription Asset Manager (RHSA-2013:0201)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing a security update.

Description :

An updated rubygem-activesupport package that fixes one security issue
is now available for Red Hat Subscription Asset Manager.

The Red Hat Security Response Team has rated this update as having
critical security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.

Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.

A flaw was found in the way Active Support performed the parsing of
JSON requests by translating them to YAML. A remote attacker could use
this flaw to execute arbitrary code with the privileges of a Ruby on
Rails application, perform SQL injection attacks, or bypass the
authentication using a specially-created JSON request. (CVE-2013-0333)

Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.

Users of Red Hat Subscription Asset Manager are advised to upgrade to
this updated package, which resolves this issue. Katello must be
restarted ('service katello restart') for this update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2013-0333.html
http://rhn.redhat.com/errata/RHSA-2013-0201.html

Solution :

Update the affected rubygem-activesupport package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 64281 ()

Bugtraq ID:

CVE ID: CVE-2013-0333