Does CVE-2013-0156 affect Red Hat products?
Environment
- OpenShift Enterprise 1.0
- CloudForms 1.1
- Subscription Asset Manager 1.1
Issue
- The flaw identified by CVE-2013-0156 (Red Hat Bugzilla 892870) describes an issue in parameter parsing in Ruby on Rails. All Ruby on Rails applications are affected unless they have explicitly disabled XML parameter handling. This flaw could allow a remote attacker the ability to run arbitrary code in the context of the Ruby on Rails application.
Resolution
OpenShift Enterprise 1.0
- An update to correct this issue is available, RHSA-2013:0153
CloudForms 1.1
- An update to correct this issue is available, RHSA-2013:0155
Subscription Asset Manager 1.1
- An update to correct this issue is available, RHSA-2013:0154
Workaround
-
Updates to correct this issue are available for all affected Red Hat products. If you are unable to deploy updates an interim workaround is available.
-
If your deployed Ruby on Rails applications do not rely on XML parameter support, then the best workaround is to disable it entirely. To do this, place the following snippet inside the application initializer:
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
-
If your deployed Ruby on Rails applications do rely on XML parameter support, a more complex workaround is
possible. See the upstream advisory for more details.
Root Cause
- The flaws, CVE-2013-0156, relate to the ability to specify POST parameters in XML format, which Ruby on Rails supports in addition to query string and JSON format.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments