[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2018-16476] Broken Access Control vulnerability in Active Job
From: Rafael_Mendonça_França <rafaelmfranca () gmail ! com>
Date: 2018-11-27 21:06:36
Message-ID: bf67ba8b-e03f-424b-92ba-c32b01ab1c08 () Spark
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
There is a vulnerability in Active Job. This vulnerability has been
assigned the CVE identifier CVE-2018-16476.
Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
Impact
------
Carefully crafted user input can cause Active Job to deserialize it using GlobalId
and allow an attacker to have access to information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
Putting the following monkey patch in an intializer can help to mitigate the issue:
```
require 'active_job'
require 'active_job/arguments'
module ArgumentsNotDeserializingGlobalId
def deserialize_argument(argument)
case argument
when String
argument
else
super
end
end
end
ActiveJob::Arguments.singleton_class.prepend(ArgumentsNotDeserializingGlobalId)
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 4-2-activejob-direct-access.patch - Patch for 4.2 series
* 5-0-activejob-direct-access.patch - Patch for 5.0 series
* 5-1-activejob-direct-access.patch - Patch for 5.1 series
* 5-2-activejob-direct-access.patch - Patch for 5.2 series
Please note that only the 5.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Rafael França
[Attachment #5 (text/html)]
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<div name="messageBodySection" style="font-size: 14px; font-family: -apple-system, \
BlinkMacSystemFont, sans-serif;">There is a vulnerability in Active Job. This vulnerability has \
been<br /> assigned the CVE identifier CVE-2018-16476.<br />
<br />
Versions Affected: >= 4.2.0<br />
Not affected: < 4.2.0<br />
Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1<br />
<br />
Impact<br />
------<br />
Carefully crafted user input can cause Active Job to deserialize it using GlobalId<br />
and allow an attacker to have access to information that they should not have.<br />
<br />
Vulnerable code will look something like this:<br />
<br />
    MyJob.perform_later(user_input)<br />
<br />
All users running an affected release should either upgrade or use one of the<br />
workarounds immediately.<br />
<br />
Releases<br />
--------<br />
The FIXED releases are available at the normal locations.<br />
<br />
Workarounds<br />
-----------<br />
Putting the following monkey patch in an intializer can help to mitigate the issue:<br />
<br />
```<br />
require 'active_job'<br />
require 'active_job/arguments'<br />
<br />
module ArgumentsNotDeserializingGlobalId<br />
  def deserialize_argument(argument)<br />
    case argument<br />
    when String<br />
      argument<br />
    else<br />
      super<br />
    end<br />
  end<br />
end<br />
<br />
ActiveJob::Arguments.singleton_class.prepend(ArgumentsNotDeserializingGlobalId)<br />
```<br />
<br />
Patches<br />
-------<br />
To aid users who aren't able to upgrade immediately we have provided patches for<br />
the two supported release series. They are in git-am format and consist of a<br />
single changeset.<br />
<br />
* 4-2-activejob-direct-access.patch - Patch for 4.2 series<br />
* 5-0-activejob-direct-access.patch - Patch for 5.0 series<br />
* 5-1-activejob-direct-access.patch - Patch for 5.1 series<br />
* 5-2-activejob-direct-access.patch - Patch for 5.2 series<br />
<br />
Please note that only the 5.x and 4.2.x series are supported at present. Users<br />
of earlier unsupported releases are advised to upgrade as soon as possible as we<br />
cannot guarantee the continued availability of security fixes for unsupported<br />
releases.<br /></div>
<div name="messageSignatureSection" style="font-size: 14px; font-family: -apple-system, \
BlinkMacSystemFont, sans-serif;"><br /> Rafael França</div>
</body>
</html>
["4-2-activejob-direct-access.patch" (application/octet-stream)]
From 4f03411fd07d714b525655e2457bbd761c9f03a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael Mendonça França? <rafaelmfranca@gmail.com>
Date: Wed, 5 Sep 2018 17:38:09 -0400
Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by
Active Job
Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.
Fix CVE-2018-16476.
---
activejob/lib/active_job/arguments.rb | 2 +-
activejob/test/cases/argument_serialization_test.rb | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index ecd81f2099..e33ee649cd 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -75,7 +75,7 @@ module ActiveJob
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *TYPE_WHITELIST
argument
when Array
diff --git a/activejob/test/cases/argument_serialization_test.rb \
b/activejob/test/cases/argument_serialization_test.rb index 1f11e916c4..058a828b86 100644
--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
assert_arguments_roundtrip [@person]
end
+ test "should keep Global IDs strings as they are" do
+ assert_arguments_roundtrip [@person.to_gid.to_s]
+ end
+
test 'should dive deep into arrays and hashes' do
assert_arguments_roundtrip [3, [@person]]
assert_arguments_roundtrip [{ 'a' => @person }]
--
2.18.0
["5-0-activejob-direct-access.patch" (application/octet-stream)]
From e9c98a89ff0672c89b20c18f207d95cca91494bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael Mendonça França? <rafaelmfranca@gmail.com>
Date: Wed, 5 Sep 2018 17:38:09 -0400
Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by
Active Job
Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.
Fix CVE-2018-16476.
---
activejob/lib/active_job/arguments.rb | 2 +-
activejob/test/cases/argument_serialization_test.rb | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index e809bddde4..d169dbadb1 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -87,7 +87,7 @@ def serialize_argument(argument)
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *TYPE_WHITELIST
argument
when Array
diff --git a/activejob/test/cases/argument_serialization_test.rb \
b/activejob/test/cases/argument_serialization_test.rb index 8c008645be..3bf8030c50 100644
--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
assert_arguments_roundtrip [@person]
end
+ test "should keep Global IDs strings as they are" do
+ assert_arguments_roundtrip [@person.to_gid.to_s]
+ end
+
test 'should dive deep into arrays and hashes' do
assert_arguments_roundtrip [3, [@person]]
assert_arguments_roundtrip [{ 'a' => @person }]
--
2.18.0
["5-1-activejob-direct-access.patch" (application/octet-stream)]
From 08b1789da762186a403ae4c901253032700a3fac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael Mendonça França? <rafaelmfranca@gmail.com>
Date: Wed, 5 Sep 2018 17:38:09 -0400
Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by
Active Job
Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.
Fix CVE-2018-16476.
---
activejob/lib/active_job/arguments.rb | 2 +-
activejob/test/cases/argument_serialization_test.rb | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index 523a0e7f33..d936b369ca 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -75,7 +75,7 @@ def serialize_argument(argument)
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *TYPE_WHITELIST
argument
when Array
diff --git a/activejob/test/cases/argument_serialization_test.rb \
b/activejob/test/cases/argument_serialization_test.rb index 7934d8e556..dac04adb11 100644
--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
assert_arguments_roundtrip [@person]
end
+ test "should keep Global IDs strings as they are" do
+ assert_arguments_roundtrip [@person.to_gid.to_s]
+ end
+
test "should dive deep into arrays and hashes" do
assert_arguments_roundtrip [3, [@person]]
assert_arguments_roundtrip [{ "a" => @person }]
--
2.18.0
["5-2-activejob-direct-access.patch" (application/octet-stream)]
From 04c6dc3d8a0c71c5544075b0f73936b3aec2b9e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael Mendonça França? <rafaelmfranca@gmail.com>
Date: Wed, 5 Sep 2018 17:38:09 -0400
Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by
Active Job
Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.
Fix CVE-2018-16476.
---
activejob/lib/active_job/arguments.rb | 2 +-
activejob/test/cases/argument_serialization_test.rb | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index de11e7fcb1..8d992a478b 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -77,7 +77,7 @@ def serialize_argument(argument)
def deserialize_argument(argument)
case argument
when String
- GlobalID::Locator.locate(argument) || argument
+ argument
when *TYPE_WHITELIST
argument
when Array
diff --git a/activejob/test/cases/argument_serialization_test.rb \
b/activejob/test/cases/argument_serialization_test.rb index 7e7f854da0..4dea233b5c 100644
--- a/activejob/test/cases/argument_serialization_test.rb
+++ b/activejob/test/cases/argument_serialization_test.rb
@@ -37,6 +37,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
assert_arguments_roundtrip [@person]
end
+ test "should keep Global IDs strings as they are" do
+ assert_arguments_roundtrip [@person.to_gid.to_s]
+ end
+
test "should dive deep into arrays and hashes" do
assert_arguments_roundtrip [3, [@person]]
assert_arguments_roundtrip [{ "a" => @person }]
--
2.18.0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic