There is a possible information leak / session hijacking vulnerability
in Rack. This vulnerability has been assigned the CVE identifier
CVE-2019-16782.
Versions Affected: All.
Not affected: None.
Fixed Versions: 1.6.12, 2.0.8
There's a possible information leak / session hijack vulnerability in
Rack. Attackers may be able to find and hijack sessions by using timing
attacks targeting the session id. Session ids are usually stored and
indexed in a database that uses some kind of scheme for speeding up
lookups of that session id. By carefully measuring the amount of time it
takes to look up a session, an attacker may be able to find a valid
session id and hijack the session.
The session id itself may be generated randomly, but the way the session
is indexed by the backing store does not use a secure comparison.
Impact
------
The session id stored in a cookie is the same id that is used when
querying the backing session storage engine. Most storage mechanisms
(for example a database) use some sort of indexing in order to speed up
the lookup of that id. By carefully timing requests and session lookup
failures, an attacker may be able to perform a timing attack to
determine an existing session id and hijack that session.
Releases
--------
The 1.6.12 and 2.0.8 releases are available at the normal locations.
Workarounds
-----------
There are no known workarounds.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
1-6-session-timing-attack.patch - Patch for 1.6 series
2-0-session-timing-attack.patch - Patch for 2.6 series
Credits
-------
Thanks Will Leinweber for reporting this!
--
Aaron Patterson
http://tenderlovemaking.com/