ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.

Red Hat OpenShift Enterprise 1.1.1 is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution from Red Hat, and is designed for on-premise or private cloud deployments.

Installing the updated packages and restarting the OpenShift services are the only requirements for this update. However, if you are updating your system to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise 1.1.1 updates, it is recommended that you restart your system.

For further information about this release, refer to the OpenShift Enterprise 1.1.1 Technical Notes, available shortly from https://access.redhat.com/knowledge/docs/

This update also fixes the following security issues :

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack.
(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, a new, more collision resistant algorithm has been used to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-5371)

Input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)

Input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)

A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424)

A flaw was found in the handling of strings in Ruby safe level 4. A remote attacker can use Exception#to_s to destructively modify an untainted string so that it is tainted, the string can then be arbitrarily modified. (CVE-2012-4466)

A flaw was found in the method for translating an exception message into a string in the Ruby Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4464)

It was found that ruby_parser from rubygem-ruby_parser created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to the application using ruby_parser. (CVE-2013-0162)

The CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat Regional IT team.

Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.

The remote host is affected by the vulnerability described in GLSA-201412-28 (Ruby on Rails: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Ruby on Rails. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code or cause a Denial of       Service condition. Furthermore, a remote attacker may be able to execute       arbitrary SQL commands, change parameter names for form inputs and make       changes to arbitrary records in the system, bypass intended access       restrictions, render arbitrary views, inject arbitrary web script or       HTML, or conduct cross-site request forgery (CSRF) attacks.
  Workaround :

    There is no known workaround at this time.

The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails 3.2 stack was updated to 3.2.12.

The Ruby Rack was updated to 1.1.6. The Ruby Rack was updated to 1.2.8. The Ruby Rack was updated to 1.3.10. The Ruby Rack was updated to 1.4.5.

The updates fix various security issues and bugs.

  - update to version 2.3.17 (bnc#803336, bnc#803339)     CVE-2013-0276 CVE-2013-0277 :

  - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :

  - update to version 3.2.12 (bnc#803336) CVE-2013-0276:
    issue with attr_protected where malformed input could     circumvent protection

  - update to version 2.3.17 (bnc#803336, bnc#803339)     CVE-2013-0276 CVE-2013-0277 :

  - Fix issue with attr_protected where malformed input     could circumvent protection

  - Fix Serialized Attributes YAML Vulnerability

  - update to version 2.3.17 (bnc#803336, bnc#803339)     CVE-2013-0276 CVE-2013-0277 :

  - Fix issue with attr_protected where malformed input     could circumvent protection

  - Fix Serialized Attributes YAML Vulnerability

  - update to version 3.2.12 (bnc#803336) CVE-2013-0276 :

  - Quote numeric values being compared to non-numeric     columns. Otherwise, in some database, the string column     values will be coerced to a numeric allowing 0, 0.0 or     false to match any string starting with a non-digit.

  - update to 1.1.6 (bnc#802794)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - update to 1.2.8 (bnc#802794)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - update to 1.3.10 (bnc#802794)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - ruby rack update to 1.4.5 (bnc#802794 bnc#802795)

  - Fix CVE-2013-0263, timing attack against     Rack::Session::Cookie

  - Fix CVE-2013-0262, symlink path traversal in Rack::File

  - ruby rack update to 1.4.4 (bnc#798452)

  - [SEC] Rack::Auth::AbstractRequest no longer symbolizes     arbitrary strings (CVE-2013-0184)

  - ruby rack changes from 1.4.3

  - Security: Prevent unbounded reads in large multipart     boundaries (CVE-2013-0183)

  - ruby rack changes from 1.4.2 (CVE-2012-6109)

  - Add warnings when users do not provide a session secret

  - Fix parsing performance for unquoted filenames

  - Updated URI backports

  - Fix URI backport version matching, and silence constant     warnings

  - Correct parameter parsing with empty values

  - Correct rackup '-I' flag, to allow multiple uses

  - Correct rackup pidfile handling

  - Report rackup line numbers correctly

  - Fix request loops caused by non-stale nonces with time     limits

  - Fix reloader on Windows

  - Prevent infinite recursions from Response#to_ary

  - Various middleware better conforms to the body close     specification

  - Updated language for the body close specification

  - Additional notes regarding ECMA escape compatibility     issues

  - Fix the parsing of multiple ranges in range headers

  - Prevent errors from empty parameter keys

  - Added PATCH verb to Rack::Request

  - Various documentation updates

  - Fix session merge semantics (fixes rack-test)

  - Rack::Static :index can now handle multiple directories

  - All tests now utilize Rack::Lint (special thanks to Lars     Gierth)

  - Rack::File cache_control parameter is now deprecated,     and removed by 1.5

  - Correct Rack::Directory script name escaping

  - Rack::Static supports header rules for sophisticated     configurations

  - Multipart parsing now works without a Content-Length     header

  - New logos courtesy of Zachary Scott!

  - Rack::BodyProxy now explicitly defines #each, useful for     C extensions

  - Cookies that are not URI escaped no longer cause     exceptions

The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-002 applied.  This update contains numerous security-related fixes for the following components :

  - CoreMedia Playback (10.7 only)
  - Directory Service (10.6 only)
  - OpenSSL
  - QuickDraw Manager
  - QuickTime
  - Ruby (10.6 only)
  - SMB (10.7 only)

Fix for CVE-2013-0276.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Aaron Patterson reports :

The attr_protected method allows developers to specify a blacklist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.

All users running an affected release should either upgrade or use one of the work arounds immediately. Users should also consider switching from attr_protected to the whitelist method attr_accessible which is not vulnerable to this attack.

Two vulnerabilities were discovered in Ruby on Rails, a Ruby framework for web application development.

  - CVE-2013-0276     The blacklist provided by the attr_protected method     could be bypassed with crafted requests, having an     application-specific impact.

  - CVE-2013-0277     In some applications, the +serialize+ helper in     ActiveRecord could be tricked into deserializing     arbitrary YAML data, possibly leading to remote code     execution.

ID	Name	Product	Family	Severity
119432	RHEL 6 : openshift (RHSA-2013:0582)	Nessus	Red Hat Local Security Checks	high
79981	GLSA-201412-28 : Ruby on Rails: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
74900	openSUSE Security Update : RubyOnRails (openSUSE-SU-2013:0338-1)	Nessus	SuSE Local Security Checks	critical
66809	Mac OS X Multiple Vulnerabilities (Security Update 2013-002)	Nessus	MacOS X Local Security Checks	critical
64738	Fedora 18 : rubygem-activemodel-3.2.8-2.fc18 (2013-2398)	Nessus	Fedora Local Security Checks	medium
64737	Fedora 17 : rubygem-activemodel-3.0.11-3.fc17 (2013-2391)	Nessus	Fedora Local Security Checks	medium
64667	FreeBSD : Ruby Activemodel Gem -- Circumvention of attr_protected (beab40bf-c1ca-4d2b-ad46-2f14bac8a968)	Nessus	FreeBSD Local Security Checks	medium
64591	Debian DSA-2620-1 : rails - several vulnerabilities	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2013-0276

high

Tenable Plugins

high

critical

critical

critical

medium

medium

medium

critical