==================================================================== CERT-Renater Note d'Information No. 2016/VULN302 _____________________________________________________________________ DATE : 29/08/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Rails versions prior to 5.0.0.1, 4.2.7.1, 3.2.22.3. ====================================================================== http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/ https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE https://groups.google.com/forum/#!topic/ruby-security-ann/WccgKSKiPZA _____________________________________________________________________ Rails 5.0.0.1, 4.2.7.1, and 3.2.22.3 have been released! Posted by tenderlove, August 11, 2016 @ 5:21 pm Hi everyone! Rails 5.0.0.1, 4.2.7.1, and 3.2.22.3 have been released! These release contain important security fixes, so please upgrade when you can. Versions 5.0.0.1, 4.2.7.1, and 3.2.22.3 contain a fix for CVE-2016-6316 which you can read about here. Version 4.2.7.1 also contains CVE-2016-6317 which you can read about here. To ease upgrading, these releases contain only security fixes. Here are checksums for the gems: Rails 3.2.22.3 [aaron@TC release]$ shasum *3.2* 6ba79586fa0c60de8e13d0e2bdd9508ae03e0222 actionmailer-3.2.22.3.gem aa26322bef392b2911d94d4d7390b7c20d2ac8c6 actionpack-3.2.22.3.gem 8a5c3cf72592d670b23e2ccfa22d13929dbbed6e activemodel-3.2.22.3.gem 2354c885903252bc8acd6cd03c13f0b8f3f4d9a4 activerecord-3.2.22.3.gem 824b2a7eb4b65fd70051006645400ad16aeb095e activeresource-3.2.22.3.gem 3d026ae2c0aa9807510d033abee424ada82782bf activesupport-3.2.22.3.gem 9d40b008c664fb234158f8e68c589dc410520c96 rails-3.2.22.3.gem 26e6d7cb9b6fdb160486e8b850ca31fff250b69f railties-3.2.22.3.gem Rails 4.2.7.1 [aaron@TC release]$ shasum *4.2* 00a9b8ed92e96abf11aead750f98558a0bc136a7 actionmailer-4.2.7.1.gem b7c08b66da4532acc84d099733a8148bbbdbb108 actionpack-4.2.7.1.gem 1e843b678e08b503f1521fcbf159f166141221b9 actionview-4.2.7.1.gem 93acc93ae1098ef0c5ac6798ca700422b484114c activejob-4.2.7.1.gem b0a0008a67d8995da0c25e610c659ff69c031c0d activemodel-4.2.7.1.gem 07537cb059779e92615a34b205f3b1e8a722d78b activerecord-4.2.7.1.gem 33b1220c3739453b872cdc1eda193841c0a14033 activesupport-4.2.7.1.gem d39f1fc8c7d86ada1c7243bd713b03ec09889b8b rails-4.2.7.1.gem 5f39ebc0f270d95df72ef38311362cf2d0aaaa87 railties-4.2.7.1.gem Rails 5.0.0.1 [aaron@TC release]$ shasum *5.0* 721f9e6079d184b58b225a88b28c8aeca6b3f388 actioncable-5.0.0.1.gem 1dfd080bd3e780816fb0d4b25a8d5cf111e78784 actionmailer-5.0.0.1.gem b557b5c3b94b63356de93c985bf70be8df7619f3 actionpack-5.0.0.1.gem d58cf5cb5b4dc4e0cc33eea9c3d9c4426363922a actionview-5.0.0.1.gem 9f1038a26bac62c97189f664c53729bf74abee24 activejob-5.0.0.1.gem b09333355633f7674f04e098e6766c0fe3ac966b activemodel-5.0.0.1.gem 4ca136b557265b4ee307c8f936180680cc0fcde0 activerecord-5.0.0.1.gem 297d6b1bb741226a1aec4081cbdfa61ce27d8e8b activesupport-5.0.0.1.gem 24b7f00cbd411784be774dc526e5398a9c438a3d rails-5.0.0.1.gem a46d76ae93a8c740a63ef245af3bbe75e491e4f0 railties-5.0.0.1.gem _____________________________________________________________________ # Possible XSS Vulnerability in Action View There is a possible XSS vulnerability in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. This vulnerability has been assigned the CVE identifier CVE-2016-6316. Versions Affected: >= 3.0.0. Not affected: < 3.0.0 Fixed Versions: 5.0.0.1, 4.2.7.1, 3.2.22.3 Impact ------ Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this: ``` content_tag(:div, "hi", title: user_input.html_safe) ``` Some helpers like the `sanitize` helper will automatically mark strings as "HTML safe", so impacted code could also look something like this: ``` content_tag(:div, "hi", title: sanitize(user_input)) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- You can work around this issue by either *not* marking arbitrary user input as safe, or by manually escaping quotes like this: ``` def escape_quotes(value) value.gsub(/"/, '"'.freeze) end content_tag(:div, "hi", title: escape_quotes(sanitize(user_input))) ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-2-attribute-xss.patch - Patch for 3.2 series * 4-2-attribute-xss.patch - Patch for 4.2 series * 5-0-attribute-xss.patch - Patch for 5.0 series Please note that only the 5.0.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Andrew Carpenter of Critical Juncture for reporting this issue and sending a patch to fix it! -- Aaron Patterson _____________________________________________________________________ # Unsafe Query Generation Risk in Active Record There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2016-6317. This vulnerability is similar to CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155. Versions Affected: >= 4.2.0 Not affected: < 4.2.0, >= 5.0.0 Fixed Versions: 4.2.7.1 Impact ------ Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it. For example, a system has password reset with token functionality: unless params[:token].nil? user = User.find_by_token(params[:token]) user.reset_password! end An attacker can craft a request such that `params[:token]` will return `[nil]`. The `[nil]` value will bypass the test for nil, but will still add an "IN ('xyz', NULL)" clause to the SQL query. Similarly, an attacker can craft a request such that `params[:token]` will return an empty hash. An empty hash will eliminate the WHERE clause of the query, but can bypass the `nil?` check. Note that this impacts not only dynamic finders (`find_by_*`) but also relations (`User.where(:name => params[:name])`). All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155. Even if you upgraded to address those issues, you must take action again. If this chance in behavior impacts your application, you can manually decode the original values from the request like so: ActiveSupport::JSON.decode(request.body) Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- This problem can be mitigated by casting the parameter to a string before passing it to Active Record. For example: unless params[:token].nil? || params[:token].to_s.empty? user = User.find_by_token(params[:token].to_s) user.reset_password! end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-2-unsafe-query-generation.patch - Patch for 4.2 series Please note that only the 5.0.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to joernchen of Phenoelit for reporting this! -- Aaron Patterson ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================