Ten new vulnerabilities in Rack, GlobalID, and Rails this week

[ddalcino]

I just saw this stack of 10 new announcements over the past two days: https://discuss.rubyonrails.org/c/security-announcements/9

Usually, I rely on bundler-audit to tell me when there are new vulnerabilities, but in this case I happened to check the Rails security announcement page, saw these, and realized that bundler-audit was not telling me about them. That's when I came here.

• CVE-2022-44570, CVE-2022-44571, CVE-2022-44572: ReDoS vulnerabilities in Rack, fixed in a new version
• CVE-2023-22799: ReDoS vulnerability in GlobalID, fixed in 1.0.1
• CVE-2023-22797, CVE-2023-22796, CVE-2023-22795, CVE-2023-22794, CVE-2023-22792, CVE-2022-44566: DoS/ReDoS and SQL Injection issues in Rails, fixed in 7.0.4.1

All of these vulnerabilities definitely exist in the Github Advisory Database; maybe the rake sync_github_advisories task needs to be run?

Also, much thanks for maintaining this repository; it's a lifesaver!

[postmodern]

@phillmv or @reedloden, I believe either of you can run the sync task? I don't have a GitHub Access Token setup to query GrapQL. :( I would rather not try to manually import 10 security advisories, if possible.

[reedloden]

Yup. Already in progress. Will have it finished and uploaded tonight after dinner.

[reedloden]

Fixed by 6a79ac9.

[postmodern]

Thank you!

[claasz]

According to https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released these vulnerabilities have been fixed in Rails 6.0.6.1. However, bundler-audit is still complaining. 6a79ac9 is only about 6.1.7.1 and 7.0.4.1.

[postmodern]

@claasz not all of those CVEs were patched in 6.0.6.1. CVE-2023-22797 was fixed in 7.0.4.1 and only affected >= 7.0.0.

[claasz]

When I run

$ bundle-audit check --update

in a Rails 6.0.6.1 application, I get

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:	643 advisories
  last updated:	2023-01-19 21:58:44 -0500
Name: actionpack
Version: 6.0.6.1
CVE: CVE-2023-22795
GHSA: GHSA-8xww-x3g3-6jcv
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Action Dispatch
Solution: upgrade to ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1

Name: actionpack
Version: 6.0.6.1
CVE: CVE-2023-22792
GHSA: GHSA-p84v-45xj-wwqj
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Action Dispatch
Solution: upgrade to ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1

Name: activerecord
Version: 6.0.6.1
CVE: CVE-2022-44566
GHSA: GHSA-579w-22j4-4749
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Solution: upgrade to ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1

Name: activesupport
Version: 6.0.6.1
CVE: CVE-2023-22796
GHSA: GHSA-j6gc-792m-qgm2
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Active Support’s underscore
Solution: upgrade to ~> 6.1.7, >= 6.1.7.1, >= 7.0.4.1

Vulnerabilities found!

Do you think this is correct? Rails 6.0.6.1 still affected by these issues?

[monachi]

complaining on actionpack 5.2.8.1 too

[reedloden]

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Rails 6.0.Z and 5.2.Z are both unsupported / end-of-life, so please upgrade to a supported version. See https://guides.rubyonrails.org/maintenance_policy.html for more details.

[claasz]

Rails 6.0.Z and 5.2.Z are both unsupported / end-of-life, so please upgrade to a supported version. See https://guides.rubyonrails.org/maintenance_policy.html for more details.

Not 100% correct. From the page you mention:

Rails 6.0.Z is included in the list of supported series until June 1st 2023.
(https://guides.rubyonrails.org/maintenance_policy.html#severe-security-issues)

And please notice the fact that 6.0.6.1 was just released 3 days ago (https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released).

[reedloden]

I think it's still fair to say that Rails 6.0.Z is end-of-life, even if it still receiving updates for "severe security issues". It's clear that it is not receiving all security updates, so in my eyes (as a security professional/engineer), it might as well be fully end-of-life, as you're not receiving all the necessary fixes. :-)

So, please upgrade. ❤️

[claasz]

For anybody wondering what's going on with Rails 6.0.Z:

The confusion comes from Rails' release notes which could give you the impression that all of these CVEs have been fixed in 6.0.6.1 as well. Digging deeper into the security announcements and individual CHANGELOG files, situation looks like this:

• [CVE-2022-44566]: Not fixed for 6.0.Z
• [CVE-2023-22797]: Only affects 7.0.Z
• [CVE-2023-22795]: Not fixed for 6.0.Z
• [CVE-2023-22794]: Fixed for 6.0.Z - https://github.com/rails/rails/blob/6-0-stable/activerecord/CHANGELOG.md
• [CVE-2023-22796]: Not fixed for 6.0.Z
• [CVE-2023-22792]: Not fixed for 6.0.Z

[postmodern]

@claasz also feel free to petition the Rails core team to release additional patches for the 6.0.x version family. It's ultimately there call when to drop support for a version family. We just collect the security advisory information.