ID CVE-2015-3225
Summary lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
References
Vulnerable Configurations
  • Rack Project Rack 1.6.1
    cpe:2.3:a:rack_project:rack:1.6.1
  • Rack Project Rack 1.6.0
    cpe:2.3:a:rack_project:rack:1.6.0
  • Rack Project Rack 1.5.3
    cpe:2.3:a:rack_project:rack:1.5.3
  • Novell openSUSE 13.1
    cpe:2.3:o:novell:opensuse:13.1
  • Novell openSUSE 13.2
    cpe:2.3:o:novell:opensuse:13.2
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 5.0 (as of 30-08-2016 - 10:27)
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3322.NASL
    description Tomek Rabczak from the NCC Group discovered a flaw in the normalize_params() method in Rack, a modular Ruby webserver interface. A remote attacker can use this flaw via specially crafted requests to cause a `SystemStackError` and potentially cause a denial of service condition for the service.
    last seen 2017-10-29
    modified 2015-08-05
    plugin id 85161
    published 2015-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85161
    title Debian DSA-3322-1 : ruby-rack - security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2290.NASL
    description An updated pcs package that fixes one security issue, several bugs, and add various enhancements is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The pcs package provides a configuration tool for Corosync and Pacemaker. It permits users to easily view, modify and create Pacemaker based clusters. The pcs package includes Rack, which provides a minimal interface between webservers that support Ruby and Ruby frameworks. A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. (CVE-2015-3225) Red Hat would like to thank Ruby upstream developers for reporting this. Upstream acknowledges Tomek Rabczak from the NCC Group as the original reporter. The pcs package has been upgraded to upstream version 0.9.143, which provides a number of bug fixes and enhancements over the previous version. (BZ#1198265) The following enhancements are described in more detail in the Red Hat Enterprise Linux 7.2 Release Notes, linked to from the References section : * The pcs resource move and pcs resource ban commands now display a warning message to clarify the commands' behavior (BZ#1201452) * New command to move a Pacemaker resource to its preferred node (BZ#1122818) This update also fixes the following bugs : * Before this update, a bug caused location, ordering, and colocation constraints related to a resource group to be removed when removing any resource from that group. This bug has been fixed, and the constraints are now preserved until the group has no resources left, and is removed. (BZ#1158537) * Previously, when a user disabled a resource clone or multi-state resource, and then later enabled a primitive resource within it, the clone or multi-state resource remained disabled. With this update, enabling a resource within a disabled clone or multi-state resource enables it. (BZ#1218979) * When the web UI displayed a list of resource attributes, a bug caused the list to be truncated at the first '=' character. This update fixes the bug and now the web UI displays lists of resource attributes correctly. (BZ#1243579) * The documentation for the 'pcs stonith confirm' command was not clear. This could lead to incorrect usage of the command, which could in turn cause data corruption. With this update, the documentation has been improved and the 'pcs stonith confirm' command is now more clearly explained. (BZ#1245264) * Previously, if there were any unauthenticated nodes, creating a new cluster, adding a node to an existing cluster, or adding a cluster to the web UI failed with the message 'Node is not authenticated'. With this update, when the web UI detects a problem with authentication, the web UI displays a dialog to authenticate nodes as necessary. (BZ#1158569) * Previously, the web UI displayed only primitive resources. Thus there was no way to set attributes, constraints and other properties separately for a parent resource and a child resource. This has now been fixed, and resources are displayed in a tree structure, meaning all resource elements can be viewed and edited independently. (BZ#1189857) In addition, this update adds the following enhancements : * A dashboard has been added which shows the status of clusters in the web UI. Previously, it was not possible to view all important information about clusters in one place. Now, a dashboard showing the status of clusters has been added to the main page of the web UI. (BZ#1158566) * With this update, the pcsd daemon automatically synchronizes pcsd configuration across a cluster. This enables the web UI to be run from any node, allowing management even if any particular node is down. (BZ#1158577) * The web UI can now be used to set permissions for users and groups on a cluster. This allows users and groups to have their access restricted to certain operations on certain clusters. (BZ#1158571) All pcs users are advised to upgrade to this updated package, which corrects these issues and add these enhancements.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 87148
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87148
    title CentOS 7 : pcs (CESA-2015:2290)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_EB8A89788DD549CE87F449667B2166DD.NASL
    description Ruby on Rails blog : Rails 3.2.22, 4.1.11 and 4.2.2 have been released, along with web console and jquery-rails plugins and Rack 1.5.4 and 1.6.2.
    last seen 2017-10-29
    modified 2016-05-16
    plugin id 84255
    published 2015-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84255
    title FreeBSD : rubygem-rails -- multiple vulnerabilities (eb8a8978-8dd5-49ce-87f4-49667b2166dd)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151119_PCS_ON_SL7_X.NASL
    description A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. (CVE-2015-3225) The pcs package has been upgraded to upstream version 0.9.143, which provides a number of bug fixes and enhancements over the previous version. - The pcs resource move and pcs resource ban commands now display a warning message to clarify the commands' behavior - New command to move a Pacemaker resource to its preferred node This update also fixes the following bugs : - Before this update, a bug caused location, ordering, and colocation constraints related to a resource group to be removed when removing any resource from that group. This bug has been fixed, and the constraints are now preserved until the group has no resources left, and is removed. - Previously, when a user disabled a resource clone or multi-state resource, and then later enabled a primitive resource within it, the clone or multi-state resource remained disabled. With this update, enabling a resource within a disabled clone or multi-state resource enables it. - When the web UI displayed a list of resource attributes, a bug caused the list to be truncated at the first '=' character. This update fixes the bug and now the web UI displays lists of resource attributes correctly. - The documentation for the 'pcs stonith confirm' command was not clear. This could lead to incorrect usage of the command, which could in turn cause data corruption. With this update, the documentation has been improved and the 'pcs stonith confirm' command is now more clearly explained. - Previously, if there were any unauthenticated nodes, creating a new cluster, adding a node to an existing cluster, or adding a cluster to the web UI failed with the message 'Node is not authenticated'. With this update, when the web UI detects a problem with authentication, the web UI displays a dialog to authenticate nodes as necessary. - Previously, the web UI displayed only primitive resources. Thus there was no way to set attributes, constraints and other properties separately for a parent resource and a child resource. This has now been fixed, and resources are displayed in a tree structure, meaning all resource elements can be viewed and edited independently. In addition, this update adds the following enhancements : - A dashboard has been added which shows the status of clusters in the web UI. Previously, it was not possible to view all important information about clusters in one place. Now, a dashboard showing the status of clusters has been added to the main page of the web UI. - With this update, the pcsd daemon automatically synchronizes pcsd configuration across a cluster. This enables the web UI to be run from any node, allowing management even if any particular node is down. - The web UI can now be used to set permissions for users and groups on a cluster. This allows users and groups to have their access restricted to certain operations on certain clusters.
    last seen 2017-10-29
    modified 2015-12-22
    plugin id 87569
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87569
    title Scientific Linux Security Update : pcs on SL7.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12978.NASL
    description Fix for CVE-2015-3225: Potential Denial of Service Vulnerability in Rack - Related rhbz#CVE-2015-3225 New rubygem-rack-1.6.1-1.fc22 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 85550
    published 2015-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85550
    title Fedora 22 : rubygem-rack-1.6.1-2.fc22 (2015-12978)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12979.NASL
    description Fix for CVE-2015-3225: Potential Denial of Service Vulnerability in Rack - Related rhbz#CVE-2015-3225 New rubygem-rack-1.6.1-1.fc22 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 85665
    published 2015-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85665
    title Fedora 21 : rubygem-rack-1.5.2-5.fc21 (2015-12979)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-254.NASL
    description There is a potential denial of service vulnerability in Rack, a modular Ruby webserver interface. Carefully crafted requests can cause a `SystemStackError` and cause a denial of service attack by exploiting the lack of a sensible depth check when doing parameter normalization. We recommend that you update your librack-ruby packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-05
    plugin id 84408
    published 2015-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84408
    title Debian DLA-254-1 : librack-ruby security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-500.NASL
    description rubygem-rack-1_4 was updated to fix one security issue. This security issue was fixed : - CVE-2015-3225: Potential Denial of Service Vulnerability in Rack (bsc#934797).
    last seen 2017-10-29
    modified 2015-07-28
    plugin id 84869
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84869
    title openSUSE Security Update : rubygem-rack-1_4 (openSUSE-2015-500)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2290.NASL
    description An updated pcs package that fixes one security issue, several bugs, and add various enhancements is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The pcs package provides a configuration tool for Corosync and Pacemaker. It permits users to easily view, modify and create Pacemaker based clusters. The pcs package includes Rack, which provides a minimal interface between webservers that support Ruby and Ruby frameworks. A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash. (CVE-2015-3225) Red Hat would like to thank Ruby upstream developers for reporting this. Upstream acknowledges Tomek Rabczak from the NCC Group as the original reporter. The pcs package has been upgraded to upstream version 0.9.143, which provides a number of bug fixes and enhancements over the previous version. (BZ#1198265) The following enhancements are described in more detail in the Red Hat Enterprise Linux 7.2 Release Notes, linked to from the References section : * The pcs resource move and pcs resource ban commands now display a warning message to clarify the commands' behavior (BZ#1201452) * New command to move a Pacemaker resource to its preferred node (BZ#1122818) This update also fixes the following bugs : * Before this update, a bug caused location, ordering, and colocation constraints related to a resource group to be removed when removing any resource from that group. This bug has been fixed, and the constraints are now preserved until the group has no resources left, and is removed. (BZ#1158537) * Previously, when a user disabled a resource clone or multi-state resource, and then later enabled a primitive resource within it, the clone or multi-state resource remained disabled. With this update, enabling a resource within a disabled clone or multi-state resource enables it. (BZ#1218979) * When the web UI displayed a list of resource attributes, a bug caused the list to be truncated at the first '=' character. This update fixes the bug and now the web UI displays lists of resource attributes correctly. (BZ#1243579) * The documentation for the 'pcs stonith confirm' command was not clear. This could lead to incorrect usage of the command, which could in turn cause data corruption. With this update, the documentation has been improved and the 'pcs stonith confirm' command is now more clearly explained. (BZ#1245264) * Previously, if there were any unauthenticated nodes, creating a new cluster, adding a node to an existing cluster, or adding a cluster to the web UI failed with the message 'Node is not authenticated'. With this update, when the web UI detects a problem with authentication, the web UI displays a dialog to authenticate nodes as necessary. (BZ#1158569) * Previously, the web UI displayed only primitive resources. Thus there was no way to set attributes, constraints and other properties separately for a parent resource and a child resource. This has now been fixed, and resources are displayed in a tree structure, meaning all resource elements can be viewed and edited independently. (BZ#1189857) In addition, this update adds the following enhancements : * A dashboard has been added which shows the status of clusters in the web UI. Previously, it was not possible to view all important information about clusters in one place. Now, a dashboard showing the status of clusters has been added to the main page of the web UI. (BZ#1158566) * With this update, the pcsd daemon automatically synchronizes pcsd configuration across a cluster. This enables the web UI to be run from any node, allowing management even if any particular node is down. (BZ#1158577) * The web UI can now be used to set permissions for users and groups on a cluster. This allows users and groups to have their access restricted to certain operations on certain clusters. (BZ#1158571) All pcs users are advised to upgrade to this updated package, which corrects these issues and add these enhancements.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 86980
    published 2015-11-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86980
    title RHEL 7 : pcs (RHSA-2015:2290)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-498.NASL
    description rubygem-rack was updated to fix one security issue. This security issue was fixed : - CVE-2015-3225: Potential Denial of Service Vulnerability in Rack (bsc#934797).
    last seen 2017-10-29
    modified 2015-07-28
    plugin id 84867
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84867
    title openSUSE Security Update : rubygem-rack (openSUSE-2015-498)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-499.NASL
    description rubygem-rack-1_3 was updated to fix one security issue. This security issue was fixed : - CVE-2015-3225: Potential Denial of Service Vulnerability in Rack (bsc#934797).
    last seen 2017-10-29
    modified 2015-07-28
    plugin id 84868
    published 2015-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84868
    title openSUSE Security Update : rubygem-rack-1_3 (openSUSE-2015-499)
redhat via4
advisories
bugzilla
id 1268801
title introduces regression for Clone and M/S resources
oval
AND
  • comment pcs is earlier than 0:0.9.143-15.el7
    oval oval:com.redhat.rhsa:tst:20152290005
  • comment pcs is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20150980006
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
rhsa
id RHSA-2015:2290
released 2015-06-08
severity Moderate
title RHSA-2015:2290: pcs security, bug fix, and enhancement update (Moderate)
rpms pcs-0:0.9.143-15.el7
refmap via4
bid 75232
confirm https://github.com/rack/rack/blob/master/HISTORY.md
debian DSA-3322
fedora
  • FEDORA-2015-12978
  • FEDORA-2015-12979
mlist
  • [oss-security] 20150616 [CVE-2015-3225] Potential Denial of Service Vulnerability in Rack
  • [rubyonrails-security] 20150616 [CVE-2015-3225] Potential Denial of Service Vulnerability in Rack
suse
  • openSUSE-SU-2015:1259
  • openSUSE-SU-2015:1262
  • openSUSE-SU-2015:1263
Last major update 23-12-2016 - 21:59
Published 26-07-2015 - 18:59
Back to Top