USN-5253-1: Rack vulnerabilities
13 December 2022
Several security issues were fixed in Rack.
Releases
Packages
- ruby-rack - modular Ruby webserver interface
Details
It was discovered that Rack insecurely handled session ids. An
unauthenticated remote attacker could possibly use this issue to perform
a timing attack and hijack sessions. (CVE-2019-16782)
It was discovered that Rack was incorrectly handling cookies during
parsing, not validating them or performing the necessary integrity checks.
An attacker could possibly use this issue to overwrite existing cookie
data and gain control over a remote system's behaviour. This issue only
affected Ubuntu 14.04 ESM. (CVE-2020-8184)
It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. This issue was only fixed in Ubuntu 14.04 ESM and Ubuntu 16.04
ESM. (CVE-2022-30122)
It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the application. This issue was only fixed in Ubuntu
14.04 ESM and Ubuntu 16.04 ESM. (CVE-2022-30123)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04
-
ruby-rack
-
2.0.7-2ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04
-
ruby-rack
-
1.6.4-4ubuntu0.2+esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
ruby-rack
-
1.6.4-3ubuntu0.2+esm2
Available with Ubuntu Pro
Ubuntu 14.04
-
ruby-rack
-
1.5.2-3+deb8u3ubuntu1~esm4
Available with Ubuntu Pro
After a standard system update you need to restart any applications using
Rack to make all the necessary changes.