===================================================================== CERT-Renater Note d'Information No. 2014/VULN139 _____________________________________________________________________ DATE : 07/07/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Rails versions prior to 4.0.8, 4.1.4, 3.2.19. ====================================================================== /2/Rails_4_0_8_and_4_1_4_have_been_released/ http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/ https://code.google.com/p/timthumb/issues/detail?id=485 http://weblog.rubyonrails.org/2014/7 ______________________________________________________________________ Rails 4.0.8 and 4.1.4 have been released! Posted by rafaelfranca, July 2, 2014 @ 12:55 pm Hi everyone! Rails 4.0.8 and 4.1.4 have been released! The security patches introduced a regression on the PostgreSQL Range feature. This regression was only introduced to Rails 4.x. Rails 3.2 users are not impacted. the commits for 4.0.8 can be found here, and the commits for 4.1.4 can be found here. Here are the checksums for 4.0.8: $ shasum *4.0.8* 1214de9fa493f5a23c87f7a7c2f1af84f67b60b6 actionmailer-4.0.8.gem 342aa07585b9b4b32ba37c8baf6fe93c53619ad6 actionpack-4.0.8.gem b40e3b1bbd744b868f74c26e1088d73c9e7d7297 activemodel-4.0.8.gem b1e28bdad10f21ed8af8b3b8b5e70f0110d19dff activerecord-4.0.8.gem 1d3d2a767478aee5be22db197b2ec06cdaede10a activesupport-4.0.8.gem dbfa6c723191bf61d1c2d3f9809259f419956a74 rails-4.0.8.gem f22a0677d9151d1f31d109b1c0687b53e06a94f7 railties-4.0.8.gem Here are the checksums for 4.1.4: $ shasum *4.1.4* 5e6426134003a55e0f43ff371521f6d66c8881b7 actionmailer-4.1.4.gem 79e84be29d961ef2c175cb5258b1d8c78ad6460f actionpack-4.1.4.gem 8ba89c7399b81e2727402806176de0db397732eb actionview-4.1.4.gem 9edc0b4e5c709ad11517a9f40ba50ee93e97e59b activemodel-4.1.4.gem 23851340221e38717a7159ebcd2eb398e8ebeacd activerecord-4.1.4.gem 388bd214252b34d22ec8bd1ca2445d7b53cd39bb activesupport-4.1.4.gem 0e050607bb8581dc756c5184a5920de9708398f1 rails-4.1.4.gem e1a75ea7161db14c953fce1e399c4e20b2eaa364 railties-4.1.4.gem _____________________________________________________________________ Rails 3.2.19, 4.0.7 and 4.1.3 have been released! Posted by rafaelfranca, July 2, 2014 @ 10:13 am Hi everyone! Rails 3.2.19, 4.0.7 and 4.1.3 have been released! These three releases contain important security fixes, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we've only included commits directly related to each security issue. The security fix for 3.2.19 is: CVE-2014-3482 The security fix for 4.0.7 and 4.1.3 is: CVE-2014-3483 The commits for 3.2.19 can be found here, the commits for 4.0.7 can be found here, and the commits for 4.1.3 can be found here. Here are the checksums for 3.2.19: $ shasum *3.2.19* 18420c276ad514b31e393a8a3e54717e66d1b671 actionmailer-3.2.19.gem 44285b467d5c89d6fcc7ccb0d75e18371373a097 actionpack-3.2.19.gem 44ee59f4024aeaac88cb558e337c67968be96531 activemodel-3.2.19.gem 88a7417694abfbb4e8e9eafd4bdcc1d09d609a76 activerecord-3.2.19.gem 32399ca83e5a4241bd14bd16c3042b1a0bd40277 activeresource-3.2.19.gem 6d392def38721f93fa9b4511d53aeaa44eb0fb47 activesupport-3.2.19.gem 486b22ec6e8ec0a20b4c3e3b4d4c0c12fc762c8d rails-3.2.19.gem fc104dc2bbd549e6d5cc9b40e95e321d19bb9d86 railties-3.2.19.gem Here are the checksums for 4.0.7: $ shasum *4.0.7* 92398e29b1b39578eb0814fce6ab5eb0b4aa4080 actionmailer-4.0.7.gem 6da21c3793a9d83a8d2c88f9718e3e0679aaf316 actionpack-4.0.7.gem a7885a5b2a3ae24389bd4037350a49ec6a4baec7 activemodel-4.0.7.gem 126ce8ddd290458577f878152faea8b4a65b14b5 activerecord-4.0.7.gem efbc0b6ef05b6235955c1d890b7c53ea019d2499 activesupport-4.0.7.gem 9589f7f5141ec688ed1f8e7ac8f7429b06d098ef rails-4.0.7.gem e4078a44393d0af71e9ecb2c69ad57654f34db8f railties-4.0.7.gem Here are the checksums for 4.1.3: $ shasum *4.1.3* 23b3bdabaa0932ea0b85e36eeb7a05141a26d523 actionmailer-4.1.3.gem 16555cb09c737f7ed371f7b6bab3ecf3f0e3bfe2 actionpack-4.1.3.gem 699eabc22ac45ca264d31556892d9034c3b4da53 actionview-4.1.3.gem 5a2b351d1c570f746f6df606d5281e92758329ea activemodel-4.1.3.gem 4db00d654d9006bb569f6c9842eb4ea3d84d4546 activerecord-4.1.3.gem 453dae978b865f6589bf61973f93ed5166cbc5fc activesupport-4.1.3.gem 7e9d4371abb345ac2a0f2765cc514657a115540a rails-4.1.3.gem 3999875c0d656b60a309dbfeb897310f4ee2879b railties-4.1.3.gem ___________________________________________________________________ There are two distinct but related vulnerabilities in PostgreSQL adapter for Active Record. These vulnerabilities have been assigned the CVE identifiers CVE-2014-3482 and CVE-2014-3483. Versions Affected: All Versions > 2.0 Not affected: Databases other than PostgreSQL Fixed Versions: 3.2.19, 4.0.7 & 4.1.3 Impact ------ PostgreSQL supports a number of unique data types which are not present in other supported databases. A bug in the SQL quoting code in ActiveRecord can allow an attacker to inject arbitrary SQL using carefully crafted values. Only applications which query against either bitstring or range types are vulnerable. The particular data types affected depend on the version of Rails you're using, but the vulnerable code will look the same. Vulnerable code will take either take the form of: Model.where(bitstring: params[:some_value]) Model.where(range: params[:from]..params[:to]) The specific versions affected is included below, however all users running an affected release should upgrade immediately. SQL Injection Vulnerability in 'bitstring' quoting ================================================== Versions Affected: 2.0.0-3.2.18 Not Affected: 4.0 and Later Identifier: CVE-2014-3482 SQL Injection Vulnerability in 'range' quoting ============================================== Versions Affected: 4.0.0-4.1.2 Not Affected: All versions prior to 4.0.0 Identifier: CVE-2014-3483 Releases -------- The 3.2.19, 4.0.7 & 4.1.3 releases are available at the normal locations. Workarounds ----------- The only feasible workaround for this issue is to not allow user controlled values to be used in queries with the affected data types. Given the difficulty of ensuring this, upgrading is strongly advised. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series and the last major release series. They are in git-am format and consist of a single changeset. * 4-1-postgres-sqli.patch - Patch for 4.1 series * 4-0-postgres-sqli.patch - Patch for 4.0 series * 3-2-postgres-sqli.patch - Patch for 3.2 series Please note that only the 4.0.x and 4.1.x series receive regular security updates at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for earlier releases. Credits ------- Thanks to Sean Griffin of thoughtbot for reporting the vulnerability to us, and to Jeff Jarmoc of Matasano and Charlie Somerville of GitHub for working with us to review the patches and advisories. Rafael Mendonça França http://twitter.com/rafaelfranca https://github.com/rafaelfranca ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================