actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1542 advisory.

  - puppet: Filebucket arbitrary file read (CVE-2012-1986)

  - puppet: Filebucket denial of service (CVE-2012-1987)

  - puppet: Filebucket arbitrary code execution (CVE-2012-1988)

  - rubygem-mail: directory traversal (CVE-2012-2139)

  - rubygem-mail: arbitrary command execution when using exim or sendmail from commandline (CVE-2012-2140)

  - rubygem-actionpack: Unsafe query generation (CVE-2012-2660)

  - rubygem-activerecord: SQL injection when processing nested query paramaters (CVE-2012-2661)

  - rubygem-actionpack: Unsafe query generation (a different flaw than CVE-2012-2660) (CVE-2012-2694)

  - rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than     CVE-2012-2661) (CVE-2012-2695)

  - rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)

  - rubygem-actionpack: potential XSS vulnerability in select_tag prompt (CVE-2012-3463)

  - rubygem-actionpack: potential XSS vulnerability (CVE-2012-3464)

  - rubygem-actionpack: XSS Vulnerability in strip_tags (CVE-2012-3465)

  - puppet: authenticated clients allowed to read arbitrary files from the puppet master (CVE-2012-3864)

  - puppet: authenticated clients allowed to delete arbitrary files on the puppet master (CVE-2012-3865)

  - puppet: insufficient validation of agent names in CN of SSL certificate requests (CVE-2012-3867)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Red Hat OpenShift Enterprise 1.1.1 is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments.

Installing the updated packages and restarting the OpenShift services are the only requirements for this update. However, if you are updating your system to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise 1.1.1 updates, it is recommended that you restart your system.

For further information about this release, refer to the OpenShift Enterprise 1.1.1 Technical Notes, available shortly from https://access.redhat.com/knowledge/docs/

This update also fixes the following security issues :

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack.
(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, a new, more collision resistant algorithm has been used to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-5371)

Input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)

Input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)

A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424)

A flaw was found in the handling of strings in Ruby safe level 4. A remote attacker can use Exception#to_s to destructively modify an untainted string so that it is tainted, the string can then be arbitrarily modified. (CVE-2012-4466)

A flaw was found in the method for translating an exception message into a string in the Ruby Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4464)

It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162)

The CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat Regional IT team.

Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.

Multiple version upgrades for rails components.

3 Security issues were fixed in rails 2.3 core components.

2 NULL query issues where fixed in the actionpack gem. 1 SQL injection was fixed in the activerecord gem.

Updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages that fix multiple security issues are now available for Red Hat Subscription Asset Manager.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Active Record implements object-relational mapping for accessing database entries using objects. Active Support provides support and utility classes used by the Ruby on Rails framework.

Multiple flaws were found in the way Ruby on Rails performed XML parameter parsing in HTTP requests. A remote attacker could use these flaws to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created HTTP request. (CVE-2013-0156)

Red Hat is aware that a public exploit for the CVE-2013-0156 issues is available that allows remote code execution in applications using Ruby on Rails.

Multiple input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496, CVE-2013-0155)

Multiple input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack.
(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)

A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424)

Users are advised to upgrade to these updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages, which resolve these issues. Katello must be restarted ('service katello restart') for this update to take effect.

Fix for CVE-2012-2694.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
193969	RHEL 6 : CloudForms Commons 1.1 (RHSA-2012:1542)	Nessus	Red Hat Local Security Checks	high
119432	RHEL 6 : openshift (RHSA-2013:0582)	Nessus	Red Hat Local Security Checks	high
74727	openSUSE Security Update : rubygem-actionmailer-3_2 / rubygem-actionpack-3_2 / rubygem-activemodel-3_2 / etc (openSUSE-SU-2012:1066-1)	Nessus	SuSE Local Security Checks	high
74710	openSUSE Security Update : rubygem-actionpack/activerecord-2_3 (openSUSE-SU-2012:0978-1)	Nessus	SuSE Local Security Checks	high
64076	RHEL 6 : Ruby on Rails in Subscription Asset Manager (RHSA-2013:0154)	Nessus	Red Hat Local Security Checks	high
59805	Fedora 16 : rubygem-actionpack-3.0.10-7.fc16 (2012-9636)	Nessus	Fedora Local Security Checks	medium
59802	Fedora 17 : rubygem-actionpack-3.0.11-5.fc17 (2012-9606)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2012-2694

medium

Tenable Plugins

high

high

high

high

high

medium

medium