BID:58554

Ruby on Rails XML Parsing CVE-2013-1856 Denial of Service Vulnerability

Info

Ruby on Rails XML Parsing CVE-2013-1856 Denial of Service Vulnerability

Bugtraq ID:	58554
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2013-1856
Remote:	Yes
Local:	No
Published:	Mar 18 2013 12:00AM
Updated:	Apr 13 2015 10:23PM
Credit:	Ben Murphy
Vulnerable:	Ruby on Rails Ruby on Rails 3.2.12 Ruby on Rails Ruby on Rails 3.2.11 Ruby on Rails Ruby on Rails 3.2.10 Ruby on Rails Ruby on Rails 3.2.8 Ruby on Rails Ruby on Rails 3.2.7 Ruby on Rails Ruby on Rails 3.2.6 Ruby on Rails Ruby on Rails 3.2.4 Ruby on Rails Ruby on Rails 3.2.2 Ruby on Rails Ruby on Rails 3.1.11 Ruby on Rails Ruby on Rails 3.1.9 Ruby on Rails Ruby on Rails 3.1.8 Ruby on Rails Ruby on Rails 3.1.7 Ruby on Rails Ruby on Rails 3.1.6 Ruby on Rails Ruby on Rails 3.1.5 Ruby on Rails Ruby on Rails 3.1.4 Ruby on Rails Ruby on Rails 3.1.2 Ruby on Rails Ruby on Rails 3.1 Ruby on Rails Ruby on Rails 3.2 JRuby JRuby 0 Gentoo Linux Apple Mac OS X Server 10.7.5 Apple Mac OS X Server 2.2.2 Apple Mac OS X Server 2.2.1 Apple Mac OS X Server 2.1.1 Apple Mac OS X Server 2.1 Apple Mac OS X Server 2.0 Apple Mac OS X Server 10.7.4 Apple Mac OS X Server 10.7.3 Apple Mac OS X Server 10.7.1 Apple Mac OS X Server 10.7 Apple Mac OS X Server 10.6.8 Apple Mac OS X 10.8.2 Apple Mac OS X 10.8.1 Apple Mac OS X 10.7.5 Apple Mac OS X 10.8.3 Apple Mac OS X 10.8 Apple Mac OS X 10.7.4 Apple Mac OS X 10.7.3 Apple Mac OS X 10.7.2 Apple Mac OS X 10.7.1 Apple Mac OS X 10.7 Apple Mac OS X 10.6.8

Not Vulnerable:	Ruby on Rails Ruby on Rails 3.2.13 Ruby on Rails Ruby on Rails 3.1.12 Apple Mac OS X Server 3.0 Apple Mac OS X 10.8.4

Discussion

Ruby on Rails XML Parsing CVE-2013-1856 Denial of Service Vulnerability

Ruby on Rails is prone to a denial-of-service vulnerability.

Remote attackers can exploit this issue to cause denial-of-service conditions.

The vulnerability is fixed in the following versions:

Ruby on Rails 3.1.12 and 3.2.13.

Solution / Fix

Ruby on Rails XML Parsing CVE-2013-1856 Denial of Service Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apple Mac OS X 10.8.3

Apple OSXUpd10.8.4.dmg
For OS X Mountain Lion v10.8.3
http://www.apple.com/support/downloads/

Apple Mac OS X 10.8

Apple OSXUpdCombo10.8.4.dmg
For OS X Mountain Lion v10.8 and v10.8.2
http://www.apple.com/support/downloads/

Apple Mac OS X 10.6.8

Apple SecUpdSrvr2013-002.dmg
For Mac OS X Server v10.6.8
http://www.apple.com/support/downloads/

Apple Mac OS X 10.7.5

Apple SecUpd2013-002.dmg
For OS X Lion v10.7.5
http://www.apple.com/support/downloads/

Apple SecUpdSrvr2013-002.dmg
For OS X Lion Server v10.7.5
http://www.apple.com/support/downloads/

Apple Mac OS X 10.8.2

Apple OSXUpdCombo10.8.4.dmg
For OS X Mountain Lion v10.8 and v10.8.2
http://www.apple.com/support/downloads/

References

Ruby on Rails XML Parsing CVE-2013-1856 Denial of Service Vulnerability

References:

Bug 921334 - (CVE-2013-1856) CVE-2013-1856 rubygem-activesupport: jdom: XML Pars (Red Hat Bugzilla)
Ruby on Rails Home Page (Ruby on Rails)
About the security content of OS X Mountain Lion v10.8.4 and Security Update 201 (Apple)