CVE-2013-0269: Input Validation
First published: Fri Feb 08 2013(Updated: )
Aaron Patterson of Ruby on Rails project reports: Denial of Service and Unsafe Object Creation Vulnerability in JSON There is a denial of service and unsafe object creation vulnerability in the json gem. This vulnerability has been assigned the CVE identifier <a href="https://access.redhat.com/security/cve/CVE-2013-0269">CVE-2013-0269</a>. Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX Not affected: NONE Fixed Versions: 1.7.7, 1.6.8, 1.5.5 Impact ------ When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. Impacted code looks like this: JSON.parse(user_input) Where the `user_input` variable will have a JSON document like this: {"json_class":"foo"} The JSON gem will attempt to look up the constant "foo". Looking up this constant will create a symbol. In JSON version 1.7.x, objects with arbitrary attributes can be created using JSON documents like this: {"json_class":"JSON::GenericObject","foo":"bar"} This document will result in an instance of JSON::GenericObject, with the attribute "foo" that has the value "bar". Instantiating these objects will result in arbitrary symbol creation and in some cases can be used to bypass security measures. PLEASE NOTE: this behavior *does not change* when using `JSON.load`. `JSON.load` should *never* be given input from unknown sources. If you are processing JSON from an unknown source, *always* use `JSON.parse`. All users running an affected release should either upgrade or use one of the work arounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- For users that cannot upgrade, please use the attached patches. If you cannot use the attached patches, change your code from this: JSON.parse(json) To this: JSON.parse(json, :create_additions => false) If you cannot change the usage of `JSON.parse` (for example you're using a gem which depends on `JSON.parse` like multi_json), then apply this monkey patch: module JSON class << self alias :old_parse :parse def parse(json, args = {}) args[:create_additions] = false old_parse(json, args) end end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the three supported release series. They are in git-am format and consist of a single changeset. * 1-7-VULN.patch - Patch for the 1.7 series * 1-6-VULN.patch - Patch for the 1.6 series * 1-5-VULN.patch - Patch for the 1.5 series Credits ------- * Thomas Hollstegge of Zweitag (www.zweitag.de) * Ben Murphy
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/candlepin | <0:0.7.24-1.el6_3 | 0:0.7.24-1.el6_3 |
| redhat/katello | <0:1.2.1.1-1h.el6_4 | 0:1.2.1.1-1h.el6_4 |
| redhat/katello-configure | <0:1.2.3.1-4h.el6_4 | 0:1.2.3.1-4h.el6_4 |
| redhat/rubygem-actionpack | <1:3.0.10-12.el6cf | 1:3.0.10-12.el6cf |
| redhat/rubygem-activemodel | <0:3.0.10-3.el6cf | 0:3.0.10-3.el6cf |
| redhat/rubygem-json | <0:1.7.3-2.el6_3 | 0:1.7.3-2.el6_3 |
| redhat/rubygem-nokogiri | <0:1.5.0-0.9.beta4.el6cf | 0:1.5.0-0.9.beta4.el6cf |
| redhat/rubygem-rack | <1:1.3.0-4.el6cf | 1:1.3.0-4.el6cf |
| redhat/rubygem-rdoc | <0:3.8-6.el6cf | 0:3.8-6.el6cf |
| redhat/thumbslug | <0:0.0.28.1-1.el6_4 | 0:0.0.28.1-1.el6_4 |
| redhat/ruby193-ruby | <0:1.9.3.327-28.el6 | 0:1.9.3.327-28.el6 |
| redhat/rubygem-json | <0:1.7.3-2.el6 | 0:1.7.3-2.el6 |
| redhat/rubygem-rdoc | <0:3.8-9.el6 | 0:3.8-9.el6 |
| Rubygems Json Gem | =1.5.0 | |
| Rubygems Json Gem | =1.5.1 | |
| Rubygems Json Gem | =1.5.2 | |
| Rubygems Json Gem | =1.5.3 | |
| Rubygems Json Gem | =1.5.4 | |
| Rubygems Json Gem | =1.6.0 | |
| Rubygems Json Gem | =1.6.1 | |
| Rubygems Json Gem | =1.6.2 | |
| Rubygems Json Gem | =1.6.3 | |
| Rubygems Json Gem | =1.6.4 | |
| Rubygems Json Gem | =1.6.5 | |
| Rubygems Json Gem | =1.6.6 | |
| Rubygems Json Gem | =1.6.7 | |
| Rubygems Json Gem | =1.7.0 | |
| Rubygems Json Gem | =1.7.1 | |
| Rubygems Json Gem | =1.7.2 | |
| Rubygems Json Gem | =1.7.3 | |
| Rubygems Json Gem | =1.7.4 | |
| Rubygems Json Gem | =1.7.5 | |
| Rubygems Json Gem | =1.7.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-0269
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82010
- https://groups.google.com/group/rubyonrails-security/msg/d8e0db6e08c81428?dmode=source&output=gplain
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://rhn.redhat.com/errata/RHSA-2013-0701.html
- http://rhn.redhat.com/errata/RHSA-2013-1028.html
- http://rhn.redhat.com/errata/RHSA-2013-1147.html
- http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
- http://www.openwall.com/lists/oss-security/2013/02/11/7
- http://www.openwall.com/lists/oss-security/2013/02/11/8
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862
- http://www.ubuntu.com/usn/USN-1733-1
- http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection
- https://web.archive.org/web/20130228082541/http://www.securityfocus.com/bid/57899
- https://web.archive.org/web/20160331131233/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- https://web.archive.org/web/20160808163226/https://puppet.com/security/cve/cve-2013-0269
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2013-0269.yml
- https://github.com/advisories/GHSA-x457-cw4h-hq5f (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2013-0269 https://nvd.nist.gov/vuln/detail/CVE-2013-0269 http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/
- https://bugzilla.redhat.com/show_bug.cgi?id=909029
- https://access.redhat.com/errata/RHSA-2013:1028
- https://access.redhat.com/errata/RHSA-2013:1185
- https://access.redhat.com/errata/RHSA-2013:1147
- https://access.redhat.com/errata/RHSA-2013:0686
- https://access.redhat.com/errata/RHSA-2013:0701
- https://access.redhat.com/security/cve/CVE-2013-0269
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=694933&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=694933&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=694934&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=694934&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=694936&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=694936&action=edit
- https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58
- http://thread.gmane.org/gmane.comp.security.oss.general/9352
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=910314
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=910313
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=910315
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=696457&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=696457&action=edit
- http://tenderlovemaking.com/
- http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/
- https://rhn.redhat.com/errata/RHSA-2013-0686.html
- https://rhn.redhat.com/errata/RHSA-2013-0701.html
- https://rhn.redhat.com/errata/RHSA-2013-1028.html
- https://rhn.redhat.com/errata/RHSA-2013-1147.html
- https://rhn.redhat.com/errata/RHSA-2013-1185.html
- https://github.com/flori/json/releases/tag/v1.4.6-java
- https://github.com/flori/json/releases/tag/v1.4.6
- https://access.redhat.com/security/cve/CVE-2020-10663
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1862203
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=909029#c39
- http://secunia.com/advisories/52075
- http://secunia.com/advisories/52774
- http://secunia.com/advisories/52902
- http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
- http://www.osvdb.org/90074
- http://www.securityfocus.com/bid/57899
- https://puppet.com/security/cve/cve-2013-0269
Parent vulnerabilities
(Appears in the following advisories)
- collector/github-advisory
- alias/GHSA-x457-cw4h-hq5f
- alias/CVE-2013-0269
- collector/github-advisory-latest
- package-manager/rubygems
- collector/redhat-cve
- collector/redhat-bugzilla
- collector/nvd-cve
- collector/nvd-index
- agent/weakness
- agent/author
- agent/severity
- agent/type
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- agent/references
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/rubygems
- canonical/rubygems json gem
- version/rubygems json gem/1.5.0
- version/rubygems json gem/1.5.1
- version/rubygems json gem/1.5.2
- version/rubygems json gem/1.5.3
- version/rubygems json gem/1.5.4
- version/rubygems json gem/1.6.0
- version/rubygems json gem/1.6.1
- version/rubygems json gem/1.6.2
- version/rubygems json gem/1.6.3
- version/rubygems json gem/1.6.4
- version/rubygems json gem/1.6.5
- version/rubygems json gem/1.6.6
- version/rubygems json gem/1.6.7
- version/rubygems json gem/1.7.0
- version/rubygems json gem/1.7.1
- version/rubygems json gem/1.7.2
- version/rubygems json gem/1.7.3
- version/rubygems json gem/1.7.4
- version/rubygems json gem/1.7.5
- version/rubygems json gem/1.7.6