Bug 968849 (CVE-2016-2098) - VUL-0: CVE-2016-2098: rubygem-actionpack: Possible remote code execution vulnerability in Action Pack
Summary: VUL-0: CVE-2016-2098: rubygem-actionpack: Possible remote code execution vuln...
Status: RESOLVED FIXED
Alias: CVE-2016-2098
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/162351/
Whiteboard: CVSSv2:RedHat:CVE-2016-2098:6.8:(AV:N...
Keywords:
Depends on:
Blocks: 969943
  Show dependency treegraph
 
Reported: 2016-03-01 08:07 UTC by Alexander Bergmann
Modified: 2017-10-12 16:11 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
test/reproducer (302 bytes, application/x-ruby)
2016-03-07 17:22 UTC, Jordi Massaguer 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-03-01 08:07:15 UTC 
http://seclists.org/oss-sec/2016/q1/462

There is a possible remote code execution vulnerability in Action Pack.
This vulnerability has been assigned the CVE identifier CVE-2016-2098.

Versions Affected:  3.2.x, 4.0.x, 4.1.x, 4.2.x
Not affected:       5.0+
Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2

Impact
------
Applications that pass unverified user input to the `render` method in a
controller or a view may be vulnerable to a code injection.

Impacted code will look like this:

```ruby
class TestController < ApplicationController
  def show
    render params[:id]
  end
end
```

An attacker could use the request parameters to coerce the above example
to execute arbitrary ruby code.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
A workaround to this issue is to not pass arbitrary user input to the `render`
method. Instead, verify that data before passing it to the `render` method.

For example, change this:

```ruby
def show
  render params[:id]
end
```

To this:

```ruby
def show
  render verify_id(params[:id])
end

private
def verify_id(id)
  # add verification logic particular to your application here
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided a patch for
it. It is in git-am format and consist of a single changeset.

* 3-2-secure_inline_with_params.patch - Patch for 3.2 series
* 4-1-secure_inline_with_params.patch - Patch for 4.1 series
* 4-2-secure_inline_with_params.patch - Patch for 4.2 series

Credits
-------
Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit
for reporting this!

Patches
-------
http://seclists.org/oss-sec/2016/q1/att-462/4-2-secure_inline_with_params.patch
http://seclists.org/oss-sec/2016/q1/att-462/4-1-secure_inline_with_params.patch
http://seclists.org/oss-sec/2016/q1/att-462/3-2-secure_inline_with_params.patch

CVE-2016-2098 was assigned to this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2098
http://seclists.org/oss-sec/2016/q1/462
Comment 1 Swamp Workflow Management 2016-03-01 23:00:25 UTC 
bugbot adjusting priority
Comment 4 Jordi Massaguer 2016-03-07 16:23:52 UTC 
We have 4.2 version in Leap
and 3.2 version in 13.2
Comment 5 Jordi Massaguer 2016-03-07 17:22:19 UTC 
Created attachment 668049 [details]
test/reproducer
Comment 8 Bernhard Wiedemann 2016-03-07 21:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (968849) was mentioned in
https://build.opensuse.org/request/show/367821 42.1 / rubygem-actionview-4_2
Comment 10 Marcus Meissner 2016-03-08 07:50:37 UTC 
also check obs
Comment 13 Bernhard Wiedemann 2016-03-09 21:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (968849) was mentioned in
https://build.opensuse.org/request/show/369381 13.2 / rubygem-actionpack-3_2
Comment 14 Swamp Workflow Management 2016-03-16 18:12:57 UTC 
openSUSE-SU-2016:0790-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 968849
CVE References: CVE-2016-2098
Sources used:
openSUSE Leap 42.1 (src):    rubygem-actionview-4_2-4.2.4-9.1
Comment 15 Swamp Workflow Management 2016-03-19 15:13:21 UTC 
openSUSE-SU-2016:0835-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 968849,968850
CVE References: CVE-2016-2097,CVE-2016-2098
Sources used:
openSUSE 13.2 (src):    rubygem-actionpack-3_2-3.2.17-3.10.1
Comment 16 Swamp Workflow Management 2016-03-22 17:08:15 UTC 
SUSE-SU-2016:0854-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 968849,968850
CVE References: CVE-2016-2097,CVE-2016-2098
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-actionview-4_1-4.1.9-12.1
Comment 17 Swamp Workflow Management 2016-03-23 18:09:01 UTC 
SUSE-SU-2016:0867-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 968849
CVE References: CVE-2016-2098
Sources used:
SUSE OpenStack Cloud 6 (src):    rubygem-actionview-4_2-4.2.2-8.1
SUSE Enterprise Storage 2.1 (src):    rubygem-actionview-4_2-4.2.2-8.1
Comment 18 Marcus Meissner 2016-04-07 08:09:02 UTC 
released
Comment 19 Swamp Workflow Management 2016-04-07 11:08:33 UTC 
SUSE-SU-2016:0967-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 968849,968850
CVE References: CVE-2016-2097,CVE-2016-2098
Sources used:
SUSE Webyast 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.26.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.26.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    rubygem-actionpack-3_2-3.2.12-0.26.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.26.1
Comment 21 Swamp Workflow Management 2017-10-12 16:11:51 UTC 
SUSE-SU-2017:2716-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1055962,968849,993302,993313
CVE References: CVE-2016-2098,CVE-2016-6316,CVE-2016-6317
Sources used:
SUSE OpenStack Cloud 7 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1
SUSE OpenStack Cloud 6 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1
SUSE Enterprise Storage 4 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1
SUSE Enterprise Storage 3 (src):    rubygem-actionmailer-4_2-4.2.9-3.3.1, rubygem-actionpack-4_2-4.2.9-7.3.1, rubygem-actionview-4_2-4.2.9-9.3.1, rubygem-activejob-4_2-4.2.9-3.3.1, rubygem-activemodel-4_2-4.2.9-6.3.1, rubygem-activerecord-4_2-4.2.9-6.3.1, rubygem-activesupport-4_2-4.2.9-7.3.1, rubygem-rails-4_2-4.2.9-3.3.1, rubygem-rails-html-sanitizer-1.0.3-8.3.1, rubygem-railties-4_2-4.2.9-3.3.1