Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:ACTIVERECORD-2022-32224
HistoryJul 11, 2022 - 9:00 p.m.

Possible RCE escalation bug with Serialized Columns in Active Record

2022-07-1121:00:00
RubySec
rubysec.com
23
JSON

There is a possible escalation to RCE when using YAML serialized columns in
Active Record. This vulnerability has been assigned the CVE identifier
CVE-2022-32224.

Versions Affected: All.
Not affected: None
Fixed Versions: 7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1

Impact

When serialized columns that use YAML (the default) are deserialized, Rails
uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an
attacker can manipulate data in the database (via means like SQL injection),
then it may be possible for the attacker to escalate to an RCE.

Impacted Active Record models will look something like this:

class User < ApplicationRecord
  serialize :options       # Vulnerable: Uses YAML for serialization
  serialize :values, Array # Vulnerable: Uses YAML for serialization
  serialize :values, JSON  # Not vulnerable
end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

The released versions change the default YAML deserializer to use
YAML.safe_load, which prevents deserialization of possibly dangerous
objects. This may introduce backwards compatibility issues with existing
data.

In order to cope with that situation, the released version also contains two
new Active Record configuration options. The configuration options are as
follows:

  • config.active_record.use_yaml_unsafe_load

When set to true, this configuration option tells Rails to use the old
“unsafe” YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

The “safe YAML” loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed “safe” in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:

config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

Workarounds

There are no feasible workarounds for this issue, but other coders (such as
JSON) are not impacted.

Related

github 1
cve 1
ubuntucve 1
debian 2
redhatcve 1
osv 2
gitlab 2
veracode 1
prion 1
debiancve 1
nessus 3
githubexploit 1
redhat 3
openvas 1
rocky 1
github
github
Active Record RCE bug with Serialized Columns
2022-07-12 19:39:47
cve
cve
CVE-2022-32224
2022-12-05 22:15:00
ubuntucve
ubuntucve
CVE-2022-32224
2022-12-05 00:00:00
debian
debian
[SECURITY] [DLA 3093-2] rails regression update
2022-09-15 07:58:25
[SECURITY] [DLA 3093-1] rails security update
2022-09-03 11:34:10
redhatcve
redhatcve
CVE-2022-32224
2022-07-20 09:43:52
osv
osv
Active Record RCE bug with Serialized Columns
2022-07-12 19:39:47
CVE-2022-32224
2022-12-05 22:15:10
gitlab
gitlab
Deserialization of Untrusted Data
2022-12-05 00:00:00
RCE bug with Serialized Columns in Active Record
2022-07-12 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2022-07-13 10:37:13
prion
prion
Sql injection
2022-12-05 22:15:00
debiancve
debiancve
CVE-2022-32224
2022-12-05 22:15:00
nessus
nessus
openSUSE 15 Security Update : rubygem-activerecord-5.2 (openSUSE-SU-2023:0009-1)
2023-01-12 00:00:00
Debian DLA-3093-1 : rails - LTS security update
2022-09-13 00:00:00
Rocky Linux 8 : Satellite 6.13 Release (Important) (RLSA-2023:2097)
2023-05-05 00:00:00
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Activerecord Project Activerecord
2022-07-17 04:09:03
redhat
redhat
(RHSA-2023:1151) Critical: Satellite 6.11.5 Async Security Update
2023-03-07 18:53:49
(RHSA-2023:0261) Critical: Satellite 6.12.1 Async Security Update
2023-01-18 14:49:14
(RHSA-2023:2097) Important: Satellite 6.13 Release
2023-05-03 13:09:51
openvas
openvas
Debian: Security Advisory (DLA-3093-1)
2022-09-04 00:00:00
rocky
rocky
Satellite 6.13 Release
2023-05-05 15:39:58
JSON
Related for RUBY:ACTIVERECORD-2022-32224
github1cve1ubuntucve1debian2redhatcve1osv2gitlab2veracode1prion1debiancve1nessus3githubexploit1redhat3openvas1rocky1