=====================================================================

                              CERT-Renater

                   Note d'Information No. 2021/VULN625
_____________________________________________________________________

DATE                : 25/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ruby versions prior to 2.6.9,
                                   2.7.5, 3.0.3
                    cgi gem versions prior to 0.3.1, 0.2,1, and 0.1,1.
                  date gem versiions prior to 3.2.1, 3.1.2, 3.0.2, 2.0.1

=====================================================================
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
_____________________________________________________________________


CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse

Posted by mame on 24 Nov 2021

A cookie prefix spoofing vulnerability was discovered in
CGI::Cookie.parse. This vulnerability has been assigned the CVE
identifier CVE-2021-41819. We strongly recommend upgrading Ruby.


Details

The old versions of CGI::Cookie.parse applied URL decoding to cookie
names. An attacker could exploit this vulnerability to spoof security
prefixes in cookie names, which may be able to trick a vulnerable
application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that
this is an incompatibility if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.


This is the same issue of CVE-2020-8184.

If you are using Ruby 2.7 or 3.0:

     Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or
later. You can use gem update cgi to update it. If you are using
bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile.

     Alternatively, please update Ruby to 2.7.5 or 3.0.3.

If you are using Ruby 2.6:

     Please update Ruby to 2.6.9. You cannot use gem update cgi for Ruby 
2.6 or prior.


Affected versions

     ruby 2.6.8 or prior (You can not use gem update cgi for this version.)
     cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 
series prior to Ruby 2.7.5)
     cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 
series prior to Ruby 3.0.3)
     cgi gem 0.3.0 or prior


Credits

Thanks to ooooooo_q for discovering this issue.


History

     Originally published at 2021-11-24 12:00:00 (UTC)

______________________________________________________________________


CVE-2021-41816: Buffer Overrun in CGI.escape_html

Posted by mame on 24 Nov 2021

A buffer overrun vulnerability was discovered in CGI.escape_html. This
vulnerability has been assigned the CVE identifier CVE-2021-41816. We
strongly recommend upgrading Ruby.

Details

A security vulnerability that causes buffer overflow when you pass a
very large string (> 700 MB) to CGI.escape_html on a platform where long
type takes 4 bytes, typically, Windows.

Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later.
You can use gem update cgi to update it. If you are using bundler,
please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please
update Ruby to 2.7.5 or 3.0.3.

This issue has been introduced since Ruby 2.7, so the cgi version
bundled with Ruby 2.6 is not vulnerable.


Affected versions

     cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 
series prior to Ruby 2.7.5)
     cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 
series prior to Ruby 3.0.3)
     cgi gem 0.3.0 or prior


Credits

Thanks to chamal for discovering this issue.


History

     Originally published at 2021-11-24 12:00:00 (UTC)

_____________________________________________________________________


CVE-2021-41817: Regular Expression Denial of Service Vulnerability of
Date Parsing Methods

Posted by mame on 15 Nov 2021

We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that
include a security fix for a regular expression denial of service
vulnerability (ReDoS) on date parsing methods. An attacker can exploit
this vulnerability to cause an effective DoS attack. This vulnerability
has been assigned the CVE identifier CVE-2021-41817.


Details

Date’s parsing methods including Date.parse are using Regexps
internally, some of which are vulnerable against regular expression
denial of service. Applications and libraries that apply such methods to
untrusted input may be affected.

The fix limits the input length up to 128 bytes by default instead of
changing the regexps. This is because Date gem uses many Regexps and it
is possible that there are still undiscovered vulnerable Regexps. For
compatibility, it is allowed to remove the limitation by explicitly
passing limit keywords as nil like Date.parse(str, limit: nil), but note
that it may take a long time to parse.

Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or
later. You can use gem update date to update it. If you are using
bundler, please add gem "date", ">= 3.2.1" to your Gemfile.

Alternatively, you can update Ruby to 3.0.3, 2.7.5, 2.6.9 or later.


Affected versions

     date gem 2.0.0 or prior (which are bundled versions with Ruby 2.6 
series prior to Ruby 2.6.9)
     date gem 3.0.1 or prior (which are bundled versions with Ruby 2.7 
series prior to Ruby 2.7.5)
     date gem 3.1.1 or prior (which are bundled versions with Ruby 3.0 
series prior to Ruby 3.0.3)
     date gem 3.2.0 or prior


Credits

Thanks to svalkanov for discovering this issue.


History

     Originally published at 2021-11-15 08:00:00 (UTC)
     Mention about new Ruby releases at 2021-11-24 13:20:00 (UTC)



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================