FreeBSD: VID-40194E1C-6D89-11EA-8082-80EE73419AF3 (CVE-2020-10663): rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-40194E1C-6D89-11EA-8082-80EE73419AF3:
When parsing certain JSON documents, the json gem (including the
one bundled with Ruby) can be coerced into creating arbitrary objects
in the target system.
This is the same issue as CVE-2013-0269. The previous fix was incomplete,
which addressed JSON.parse(user_input), but didn’t address some other
styles of JSON parsing including JSON(user_input) and
JSON.parse(user_input, nil).
See CVE-2013-0269 in detail. Note that the issue was exploitable to
cause a Denial of Service by creating many garbage-uncollectable
Symbol objects, but this kind of attack is no longer valid because
Symbol objects are now garbage-collectable. However, creating arbitrary
bjects may cause severe security consequences depending upon the
application code.
Please update the json gem to version 2.3.0 or later. You can use
gem update json to update it. If you are using bundler, please add
gem "json", ">= 2.3.0" to your Gemfile.
Solution(s)
- freebsd-upgrade-package-rubygem-json
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center