Amazon Linux AMI update for ruby24



Published: 2020-09-01
Risk High
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2012-6708
CVE-2015-9251
CVE-2017-17742
CVE-2019-15845
CVE-2019-16201
CVE-2019-16254
CVE-2019-16255
CVE-2020-10663
CWE-ID CWE-79
CWE-113
CWE-20
CWE-94
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Cross-site scripting

EUVDB-ID: #VU18263

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2012-6708

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the  jQuery(strInput) function that does not differentiate selectors from HTML. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Cross-site scripting

EUVDB-ID: #VU14150

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-9251

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when a cross-domain Ajax request is performed without the dataType option. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary text/javascript responses in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) HTTP response splitting

EUVDB-ID: #VU11537

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-17742

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP response splitting attack.

The weakness exists due to improper handling of HTTP requests. If a script accepts an external input and outputs it without modification as a part of HTTP responses, a remote attacker can use newline characters to trick the victim that the HTTP response header is stopped at there and inject fake HTTP responses after the newline characters to show malicious contents to the victim.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU23006

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-15845

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists in Ruby due to insufficient validation of user-supplied files within File.fnmatch and File.fnmatch? functions when processing NUL byte in the filename. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the system.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU23007

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16201

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the WEBrick::HTTPAuth::DigestAuth in Ruby due to a regular expression issue. A remote attacker can send a specially crafted request to the application and perform a denial of service attack.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) HTTP Response Splitting

EUVDB-ID: #VU23008

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16254

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP response splitting attack.

The vulnerability exists due to insufficient validation of CRLF sequences within the WEBrick in Ruby. A remote attacker can send a specially crafted request to the application and perform a spoofing attack.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Code injection

EUVDB-ID: #VU23009

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16255

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in lib/shell.rb in Ruby when processing Shell#[] and its alias Shell#test. A remote attacker can send a specially crafted request and execute arbitrary Ruby code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU32971

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10663

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

Mitigation

Update the affected packages:

i686:
    rubygem24-psych-2.2.2-2.12.amzn1.i686
    ruby24-libs-2.4.10-2.12.amzn1.i686
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686
    ruby24-devel-2.4.10-2.12.amzn1.i686
    ruby24-debuginfo-2.4.10-2.12.amzn1.i686
    rubygem24-io-console-0.4.6-2.12.amzn1.i686
    ruby24-2.4.10-2.12.amzn1.i686
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686
    rubygem24-net-telnet-0.1.1-2.12.amzn1.i686
    rubygem24-json-2.0.4-2.12.amzn1.i686

noarch:
    rubygems24-2.6.14.4-2.12.amzn1.noarch
    rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch
    rubygems24-devel-2.6.14.4-2.12.amzn1.noarch
    rubygem24-power_assert-0.4.1-2.12.amzn1.noarch
    rubygem24-rdoc-5.0.1-2.12.amzn1.noarch
    rubygem24-minitest5-5.10.1-2.12.amzn1.noarch
    ruby24-irb-2.4.10-2.12.amzn1.noarch
    ruby24-doc-2.4.10-2.12.amzn1.noarch
    rubygem24-test-unit-3.2.3-2.12.amzn1.noarch

src:
    ruby24-2.4.10-2.12.amzn1.src

x86_64:
    ruby24-2.4.10-2.12.amzn1.x86_64
    rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64
    rubygem24-json-2.0.4-2.12.amzn1.x86_64
    ruby24-devel-2.4.10-2.12.amzn1.x86_64
    ruby24-libs-2.4.10-2.12.amzn1.x86_64
    rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64
    ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64
    rubygem24-psych-2.2.2-2.12.amzn1.x86_64
    rubygem24-io-console-0.4.6-2.12.amzn1.x86_64
    rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2020-1422.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###