The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

The remote Red Hat Enterprise Linux CoreOS 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:0582 advisory.

  - rubygem-actionpack: Unsafe query generation (CVE-2012-2660)

  - rubygem-activerecord: SQL injection when processing nested query paramaters (CVE-2012-2661)

  - rubygem-actionpack: Unsafe query generation (a different flaw than CVE-2012-2660) (CVE-2012-2694)

  - rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than     CVE-2012-2661) (CVE-2012-2695)

  - rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest (CVE-2012-3424)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby     allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a     predictable name in /tmp. (CVE-2013-0162)

Note that Nessus relies on the presence of the package as reported by the vendor.

Red Hat OpenShift Enterprise 1.1.1 is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments.

Installing the updated packages and restarting the OpenShift services are the only requirements for this update. However, if you are updating your system to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise 1.1.1 updates, it is recommended that you restart your system.

For further information about this release, refer to the OpenShift Enterprise 1.1.1 Technical Notes, available shortly from https://access.redhat.com/knowledge/docs/

This update also fixes the following security issues :

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack.
(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, a new, more collision resistant algorithm has been used to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-5371)

Input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)

Input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)

A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424)

A flaw was found in the handling of strings in Ruby safe level 4. A remote attacker can use Exception#to_s to destructively modify an untainted string so that it is tainted, the string can then be arbitrarily modified. (CVE-2012-4466)

A flaw was found in the method for translating an exception message into a string in the Ruby Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4464)

It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162)

The CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat Regional IT team.

Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.

Red Hat Subscription Asset Manager 1.2, which fixes several security issues, multiple bugs, and adds various enhancements, is now available.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines.

It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users' systems if they knew the target system's UUID.
(CVE-2012-5603)

A vulnerability in rubygem-ldap_fluff allowed a remote attacker to bypass authentication and log into Subscription Asset Manager when a Microsoft Active Directory server was used as the back-end authentication server. (CVE-2012-5604)

It was found that the '/usr/share/katello/script/katello-generate-passphrase' utility, which is run during the installation and configuration process, set world-readable permissions on the '/etc/katello/secure/passphrase' file. A local attacker could use this flaw to obtain the passphrase for Katello, giving them access to information they would otherwise not have access to. (CVE-2012-5561)

Note: After installing this update, ensure the '/etc/katello/secure/passphrase' file is owned by the root user and group and mode 0750 permissions. Sites should also consider re-creating the Katello passphrase as this issue exposed it to local users.

Three flaws were found in rubygem-rack. A remote attacker could use these flaws to perform a denial of service attack against applications using rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)

A flaw was found in the way rubygem-activerecord dynamic finders extracted options from method parameters. A remote attacker could possibly use this flaw to perform SQL injection attacks against applications using the Active Record dynamic finder methods.
(CVE-2012-6496)

It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162)

The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561 was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering team; and CVE-2013-0162 was discovered by Michael Scherer of the Red Hat Regional IT team.

These updated Subscription Asset Manager packages include a number of bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2 Release Notes for information about these changes :

https://access.redhat.com/knowledge/docs/en-US/ Red_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html

All users of Red Hat Subscription Asset Manager are advised to upgrade to these updated packages, which fix these issues and add various enhancements.

Michael Scherer reports :

This is a relatively minor tmp file usage issue.

ID	Name	Product	Family	Severity
311978	RHCOS 6 : Red Hat OpenShift Enterprise 1.1.1 update (Moderate) (RHSA-2013:0582)	Nessus	Red Hat Local Security Checks	high
261205	Linux Distros Unpatched Vulnerability : CVE-2013-0162	Nessus	Misc.	medium
119432	RHEL 6 : openshift (RHSA-2013:0582)	Nessus	Red Hat Local Security Checks	high
65172	RHEL 6 : Subscription Asset Manager (RHSA-2013:0544)	Nessus	Red Hat Local Security Checks	high
64875	FreeBSD : rubygem-ruby_parser -- insecure tmp file usage (e1aa3bdd-839a-4a77-8617-cca439a8f9fc)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2013-0162

medium

Tenable Plugins

high

medium

high

high

low