CVE-2018-1000074

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the gem owner command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Software

Name	Vendor	Start Version	End Version
Rubygems	Rubygems	*	2.2.9 (including)
Red Hat Enterprise Linux 7	RedHat	ruby-0:2.0.0.648-36.el7	*
Red Hat Enterprise Linux 7.4 Advanced Update Support	RedHat	ruby-0:2.0.0.648-35.el7_4	*
Red Hat Enterprise Linux 7.4 Telco Extended Update Support	RedHat	ruby-0:2.0.0.648-35.el7_4	*
Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions	RedHat	ruby-0:2.0.0.648-35.el7_4	*
Red Hat Enterprise Linux 7.5 Extended Update Support	RedHat	ruby-0:2.0.0.648-35.el7_5	*
Red Hat Enterprise Linux 7.6 Extended Update Support	RedHat	ruby-0:2.0.0.648-36.el7_6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	rh-ruby23-ruby-0:2.3.8-69.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	rh-ruby24-ruby-0:2.4.5-91.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-ruby23-ruby-0:2.3.8-69.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-ruby24-ruby-0:2.4.5-91.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-ruby25-ruby-0:2.5.3-6.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS	RedHat	rh-ruby23-ruby-0:2.3.8-69.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS	RedHat	rh-ruby24-ruby-0:2.4.5-91.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS	RedHat	rh-ruby25-ruby-0:2.5.3-6.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	rh-ruby23-ruby-0:2.3.8-69.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	rh-ruby24-ruby-0:2.4.5-91.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	rh-ruby25-ruby-0:2.5.3-6.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	rh-ruby23-ruby-0:2.3.8-69.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	rh-ruby24-ruby-0:2.4.5-91.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	rh-ruby25-ruby-0:2.5.3-6.el7	*
Jruby	Ubuntu	artful	*
Jruby	Ubuntu	bionic	*
Jruby	Ubuntu	cosmic	*
Jruby	Ubuntu	esm-infra-legacy/trusty	*
Jruby	Ubuntu	trusty	*
Jruby	Ubuntu	trusty/esm	*
Jruby	Ubuntu	xenial	*
Ruby1.9.1	Ubuntu	trusty	*
Ruby2.0	Ubuntu	trusty	*
Ruby2.3	Ubuntu	artful	*
Ruby2.3	Ubuntu	esm-infra/xenial	*
Ruby2.3	Ubuntu	xenial	*
Ruby2.5	Ubuntu	bionic	*
Ruby2.5	Ubuntu	cosmic	*
Ruby2.5	Ubuntu	disco	*
Ruby2.5	Ubuntu	eoan	*
Ruby2.5	Ubuntu	esm-infra/bionic	*

Potential Mitigations

Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

https://cwe.mitre.org/data/definitions/586.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-1000074
CWE	https://cwe.mitre.org/data/definitions/502.html

Deserialization of Untrusted Data

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References