There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5253-1 advisory.

    It was discovered that Rack insecurely handled session ids. An unauthenticated remote attacker could     possibly use this issue to perform a timing attack and hijack sessions. (CVE-2019-16782)

    It was discovered that Rack was incorrectly handling cookies during parsing, not validating them or     performing the necessary integrity checks. An attacker could possibly use this issue to overwrite existing     cookie data and gain control over a remote system's behaviour. This issue only affected Ubuntu 14.04 ESM.
    (CVE-2020-8184)

    It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a     user or automated system were tricked into sending a specially crafted multipart POST request to an     application using Rack, a remote attacker could possibly use this issue to cause a denial of service. This     issue was only fixed in Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2022-30122)

    It was discovered that Rack was not properly escaping untrusted data when performing logging operations,     which could cause shell escaped sequences to be written to a terminal. If a user or automated system were     tricked into sending a specially crafted request to an application using Rack, a remote attacker could     possibly use this issue to execute arbitrary code in the machine running the application. This issue was     only fixed in Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2022-30123)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1313 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):

    * foreman: Managing repositories with their id via hammer does not respect the role filters     (CVE-2017-2662)
    * python-psutil: Double free because of refcount mishandling (CVE-2019-18874)
    * candlepin: netty: compression/decompression codecs don't enforce limits on buffer allocation sizes     (CVE-2020-11612)
    * foreman: world-readable OMAPI secret through the ISC DHCP server (CVE-2020-14335)
    * candlepin: resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's     WebApplicationException handling (CVE-2020-25633)
    * python-django: potential SQL injection via tolerance parameter in GIS functions and aggregates on     Oracle (CVE-2020-9402)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    * Usability enhancements to Red Hat's Simple Content Access mode and Satellite

    * Usability improvements to enabling Remote Execution on your hosts.

    * Notifications in the UI to warn users when subscriptions are expiring.

    * Usability enhancements to enable Insights integration with Satellite.

    * Performance improvements to various aspects of the user interface and API.

    * Added support for OpenID Connect for authentication.

    * Usability improvements to the Satellite Installer.

    * Updated Ruby web server to the modern Puma application server which replaces Passenger.

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4366 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):

    * mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)
    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
    * rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7663)
    * puppet: puppet server and puppetDB may leak sensitive information via metrics API (CVE-2020-7943)
    * jackson-databind: multiple serialization gadgets (CVE-2020-8840 CVE-2020-9546 CVE-2020-9547     CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195)
    * foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334)
    * Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover     (CVE-2020-14380)
    * Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)
    * rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)
    * rubygem-secure_headers: limited header injection when using dynamic overrides with user input     (CVE-2020-5216)
    * rubygem-secure_headers: directive injection when using dynamic overrides with user input (CVE-2020-5217)
    * rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks     (CVE-2020-5267)
    * puppet: Arbitrary catalog retrieval (CVE-2020-7942)
    * rubygem-rack: directory traversal in Rack::Directory (CVE-2020-8161)
    * rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names     (CVE-2020-8184)
    * hibernate-validator: Improper input validation in the interpolation of constraint error messages     (CVE-2020-10693)
    * puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL     (CVE-2018-11751)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    * Provides the Satellite Ansible Modules that allow for full automation of your Satellite configuration     and deployment.

    * Adds ability to install Satellite and Capsules and manage hosts in a IPv6 network environment

    * Ansible based Capsule Upgrade automation: Ability to centrally upgrade all of your Capsule servers with     a single job execution.

    * Platform upgrades to Postgres 12, Ansible 2.9, Ruby on Rails and latest version of Puppet

    * Support for HTTP UEFI provisioning

    * Support for CAC card authentication with Keycloak integration

    * Add ability to upgrade Red Hat Enterprise Linux 7 hosts to version 8 using the LEAPP based tooling.

    * Support for Red Hat Enterprise Linux Traces integration

    * satellite-maintain & foreman-maintain are now self updating

    * Notifications in the UI to warn users when subscriptions are expiring.

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2480 advisory.

    Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the     challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a     model-view-controller (MVC) framework for web application development. Action Pack implements the     controller and the view components.

    Security Fix(es):

    * cfme-gemset: rubygem-rack: hijack sessions by using timing attacks targeting the session id     (CVE-2019-16782)

    * cfme-amazon-smartstate: rubygem-rack: hijack sessions by using timing attacks targeting the session id     (CVE-2019-16782)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    This update fixes various bugs and adds enhancements. Documentation for these changes is available from     the Release Notes document linked to in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for rubygem-rack to version 2.0.8 fixes the following issues :

  - CVE-2018-16471: Fixed a cross-site scripting (XSS) flaw     via the scheme method on Rack::Request (bsc#1116600).

  - CVE-2019-16782: Fixed a possible information leak and     session hijack vulnerability (bsc#1159548).

This update was imported from the SUSE:SLE-15:Update update project.

This update for rubygem-rack to version 2.0.8 fixes the following issues :

CVE-2018-16471: Fixed a cross-site scripting (XSS) flaw via the scheme method on Rack::Request (bsc#1116600).

CVE-2019-16782: Fixed a possible information leak and session hijack vulnerability (bsc#1159548).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to Rack 2.0.8.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

National Vulnerability Database :

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

ID	Name	Product	Family	Severity
183143	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Rack vulnerabilities (USN-5253-1)	Nessus	Ubuntu Local Security Checks	critical
148903	RHEL 7 : Satellite 6.9 Release (Moderate) (RHSA-2021:1313)	Nessus	Red Hat Local Security Checks	critical
142452	RHEL 7 : Satellite 6.8 (Important) (RHSA-2020:4366)	Nessus	Red Hat Local Security Checks	critical
137312	RHEL 8 : CloudForms 5.0.6 (RHSA-2020:2480)	Nessus	Red Hat Local Security Checks	medium
133669	openSUSE Security Update : rubygem-rack (openSUSE-2020-214)	Nessus	SuSE Local Security Checks	medium
133597	SUSE SLED15 / SLES15 Security Update : rubygem-rack (SUSE-SU-2020:0359-1)	Nessus	SuSE Local Security Checks	medium
133114	Fedora 31 : 1:rubygem-rack (2020-57fc0d0156)	Nessus	Fedora Local Security Checks	medium
132428	FreeBSD : rack -- information leak / session hijack vulnerability (66e4dc99-28b3-11ea-8dde-08002728f74c)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2019-16782

medium

Tenable Plugins

critical

critical

critical

medium

medium

medium

medium

medium