Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings."

The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails 3.2 stack was updated to 3.2.12.

The Ruby Rack was updated to 1.1.6. The Ruby Rack was updated to 1.2.8. The Ruby Rack was updated to 1.3.10. The Ruby Rack was updated to 1.4.5.

The updates fix various security issues and bugs.

  - update to version 2.3.17 (bnc#803336, bnc#803339)     CVE-2013-0276 CVE-2013-0277 :

  - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :

  - update to version 3.2.12 (bnc#803336) CVE-2013-0276:
    issue with attr_protected where malformed input could     circumvent protection

  - update to version 2.3.17 (bnc#803336, bnc#803339)     CVE-2013-0276 CVE-2013-0277 :

  - Fix issue with attr_protected where malformed input     could circumvent protection

  - Fix Serialized Attributes YAML Vulnerability

  - update to version 2.3.17 (bnc#803336, bnc#803339)     CVE-2013-0276 CVE-2013-0277 :

  - Fix issue with attr_protected where malformed input     could circumvent protection

  - Fix Serialized Attributes YAML Vulnerability

  - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :

  - Quote numeric values being compared to non-numeric     columns. Otherwise, in some database, the string column     values will be coerced to a numeric allowing 0, 0.0 or     false to match any string starting with a non-digit.

  - update to 1.1.6 (bnc#802794)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - update to 1.2.8 (bnc#802794)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - update to 1.3.10 (bnc#802794)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - ruby rack update to 1.4.5 (bnc#802794 bnc#802795)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - Fix CVE-2013-0262, symlink path traversal in Rack::File

  - ruby rack update to 1.4.4 (bnc#798452)

  - [SEC] Rack::Auth::AbstractRequest no longer symbolizes     arbitrary strings (CVE-2013-0184)

  - ruby rack changes from 1.4.3

  - Security: Prevent unbounded reads in large multipart     boundaries (CVE-2013-0183)

  - ruby rack changes from 1.4.2 (CVE-2012-6109)

  - Add warnings when users do not provide a session secret

  - Fix parsing performance for unquoted filenames

  - Updated URI backports

  - Fix URI backport version matching, and silence constant     warnings

  - Correct parameter parsing with empty values

  - Correct rackup '-I' flag, to allow multiple uses

  - Correct rackup pidfile handling

  - Report rackup line numbers correctly

  - Fix request loops caused by non-stale nonces with time     limits

  - Fix reloader on Windows

  - Prevent infinite recursions from Response#to_ary

  - Various middleware better conforms to the body close     specification

  - Updated language for the body close specification

  - Additional notes regarding ECMA escape compatibility     issues

  - Fix the parsing of multiple ranges in range headers

  - Prevent errors from empty parameter keys

  - Added PATCH verb to Rack::Request

  - Various documentation updates

  - Fix session merge semantics (fixes rack-test)

  - Rack::Static :index can now handle multiple directories

  - All tests now utilize Rack::Lint (special thanks to Lars     Gierth)

  - Rack::File cache_control parameter is now deprecated,     and removed by 1.5

  - Correct Rack::Directory script name escaping

  - Rack::Static supports header rules for sophisticated     configurations

  - Multipart parsing now works without a Content-Length     header

  - New logos courtesy of Zachary Scott!

  - Rack::BodyProxy now explicitly defines #each, useful for     C extensions

  - Cookies that are not URI escaped no longer cause     exceptions

The remote host is affected by the vulnerability described in GLSA-201405-10 (Rack: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Rack. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, or obtain       sensitive information.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities :

  - CVE-2011-5036     Rack computes hash values for form parameters without     restricting the ability to trigger hash collisions     predictably, which allows remote attackers to cause a     denial of service (CPU consumption) by sending many     crafted parameters.

  - CVE-2013-0183     A remote attacker could cause a denial of service     (memory consumption and out-of-memory error) via a long     string in a Multipart HTTP packet.

  - CVE-2013-0184     A vulnerability in Rack::Auth::AbstractRequest allows     remote attackers to cause a denial of service via     unknown vectors.

  - CVE-2013-0263     Rack::Session::Cookie allows remote attackers to guess     the session cookie, gain privileges, and execute     arbitrary code via a timing attack involving an HMAC     comparison function that does not run in constant time.

Red Hat Subscription Asset Manager 1.2, which fixes several security issues, multiple bugs, and adds various enhancements, is now available.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines.

It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users' systems if they knew the target system's UUID.
(CVE-2012-5603)

A vulnerability in rubygem-ldap_fluff allowed a remote attacker to bypass authentication and log into Subscription Asset Manager when a Microsoft Active Directory server was used as the back-end authentication server. (CVE-2012-5604)

It was found that the '/usr/share/katello/script/katello-generate-passphrase' utility, which is run during the installation and configuration process, set world-readable permissions on the '/etc/katello/secure/passphrase' file. A local attacker could use this flaw to obtain the passphrase for Katello, giving them access to information they would otherwise not have access to. (CVE-2012-5561)

Note: After installing this update, ensure the '/etc/katello/secure/passphrase' file is owned by the root user and group and mode 0750 permissions. Sites should also consider re-creating the Katello passphrase as this issue exposed it to local users.

Three flaws were found in rubygem-rack. A remote attacker could use these flaws to perform a denial of service attack against applications using rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)

A flaw was found in the way rubygem-activerecord dynamic finders extracted options from method parameters. A remote attacker could possibly use this flaw to perform SQL injection attacks against applications using the Active Record dynamic finder methods.
(CVE-2012-6496)

It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162)

The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561 was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering team; and CVE-2013-0162 was discovered by Michael Scherer of the Red Hat Regional IT team.

These updated Subscription Asset Manager packages include a number of bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2 Release Notes for information about these changes :

https://access.redhat.com/knowledge/docs/en-US/ Red_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html

All users of Red Hat Subscription Asset Manager are advised to upgrade to these updated packages, which fix these issues and add various enhancements.

Fixes for CVE-2011-6109, CVE-2013-0183 and CVE-2013-0184.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
74900	openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)	Nessus	SuSE Local Security Checks	critical
74053	GLSA-201405-10 : Rack: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
70534	Debian DSA-2783-1 : librack-ruby - several vulnerabilities	Nessus	Debian Local Security Checks	medium
65172	RHEL 6 : Subscription Asset Manager (RHSA-2013:0544)	Nessus	Red Hat Local Security Checks	high
64254	Fedora 16 : rubygem-rack-1.3.0-3.fc16 (2013-0896)	Nessus	Fedora Local Security Checks	medium
64253	Fedora 17 : rubygem-rack-1.4.0-3.fc17 (2013-0861)	Nessus	Fedora Local Security Checks	medium
64251	Fedora 18 : rubygem-rack-1.4.0-4.fc18 (2013-0837)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2013-0184

high

Tenable Plugins

critical

medium

medium

high

medium

medium

medium