GithubHelp home page GithubHelp logo

manageiq / httpd_configmap_generator Goto Github PK

View Code? Open in Web Editor NEW
3.0 8.0 18.0 193 KB

Scripts used in httpd containers for configuring authentication

License: Apache License 2.0

Ruby 96.53% Shell 1.55% Dockerfile 1.92%

httpd_configmap_generator's Introduction

Httpd Configmap Generator

Gem Version Build Status Code Climate Test Coverage

Chat

This GEM provides a CLI to automate the generation of auth-config maps which can be used with the httpd auth pod for enabling external authentication.

Install as follows:

gem install httpd_configmap_generator

Running the tool

Generating an auth-config map can be done by running the httpd_configmap_generator tool

$ httpd_configmap_generator --help
httpd_configmap_generator 0.1.1 - External Authentication Configuration script

Usage: httpd_configmap_generator auth_type | update | export [--help | options]

supported auth_type: active-directory, ipa, ldap, saml, oidc

httpd_configmap_generator options are:
  -V, --version    Version of the httpd_configmap_generator command
  -h, --help       Show this message

Showing the usage for each authentication type or sub-command as follows:

$ httpd_configmap_generator ipa --help

Supported Authentication Types

auth-type Identity Provider/Environment for usage:
active-directory Active Directory domain realm join README-active-directory
ipa IPA, IPA 2-factor authentication, IPA/AD Trust README-ipa
ldap Ldap directories README-ldap
saml Keycloak, etc. README-saml
OpenID-Connect (oidc) Keycloak, etc. README-oidc

Updating an auth configuration map:

With the update subcommand, it is possible to add file(s) to the configuration map as per the following usage:

$ httpd_configmap_generator update --help
Options:
  -i, --input=<s>       Input config map file
  -o, --output=<s>      Output config map file
  -f, --force           Force configuration if configured already
  -d, --debug           Enable debugging
  -a, --add-file=<s>    Add file to config map
  -h, --help            Show this message

The --add-file option can be specified multiple times, one per file to add to a configuration map.

Supported file specification for the --add-file option are:

--add-file=file-path
--add-file=source-file-path,target-file-path
--add-file=source-file-path,target-file-path,file-permission
--add-file=file-url,target-file-path,file-permission

Where:

  • file-url is an http URL
  • file-permission can be specified as: mode:owner:group

Examples:

Adding files by specifying paths:

The file ownership and permissions will be based on the files specified.

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml                    \
  --add-file=/etc/openldap/cacerts/primary-directory-cert.pem  \
  --add-file=/etc/openldap/cacerts/seconday-directory-cert.pem \
  --output=/tmp/updated-auth-configmap.yaml

Adding target files from different source directories:

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml                                        \
  --add-file=/tmp/uploaded-cert1,/etc/openldap/cacerts/primary-directory-cert.pem  \
  --add-file=/tmp/uploaded-cert2,/etc/openldap/cacerts/seconday-directory-cert.pem \
  --output=/tmp/updated-auth-configmap.yaml

The file ownership and permissions will be based on the source files specified, in this case the ownership and permissiong of the /tmp/uploaded-cert1 and /tmp/uploaded-cert2 files will be used.

Adding a target file with user specified ownership and mode:

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml                          \
  --add-file=/tmp/secondary-keytab,/etc/http2.keytab,600:apache:root \
  --output=/tmp/updated-auth-configmap.yaml

Adding files by URL:

$ httpd_configmap_generator update \
  --input=/tmp/original-auth-configmap.yaml \
  --add-file=http://aab-keycloak:8080/auth/realms/testrealm/protocol/saml/description,/etc/httpd/saml2/idp-metadata.xml,644:root:root \
  --output=/tmp/updated-auth-configmap.yaml

When downloading a file by URL, a target file path and file ownership/mode must be specified.

Exporting a file from an auth configuration map

With the export subcommand, it is possible to export a file from the configuration map as per the following usage:

$ httpd_configmap_generator export --help
Options:
  -i, --input=<s>     Input config map file
  -l, --file=<s>      Config map file to export
  -o, --output=<s>    The output file being exported
  -f, --force         Force configuration if configured already
  -d, --debug         Enable debugging
  -h, --help          Show this message

Example:

Extract the sssd.conf file out of the auth configuration map:

$ httpd_configmap_generator export \
  --input=/tmp/external-ipa.yaml \
  --file=/etc/sssd/sssd.conf     \
  --output=/tmp/sssd.conf

Building the Httpd Configmap Generator in a Container

Container for configuring external authentication for the httpd auth pod. It is based on the auth httpd container and generates the httpd auth-config map needed to enable external authentication.

Installing

$ git clone https://github.com/ManageIQ/httpd_configmap_generator.git

Running with Docker

Building container image

$ cd httpd_configmap_generator
$ docker build . -t manageiq/httpd_configmap_generator:latest

Running the httpd_configmap_generator container

$ docker run --privileged manageiq/httpd_configmap_generator:latest &

Getting the httpd_configmap_generator container id:

$ CONFIGMAP_GENERATOR_ID="`docker ps -l -q`"

Generating a configmap for external authentication against IPA

While the httpd_configmap_generator tool can be run in the container by first getting into a bash shell:

$ docker exec -it $CONFIGMAP_GENERATOR_ID /bin/bash -i

The tool can also be executed directly as follows:

Example for generating a configuration map for IPA:

$ docker exec $CONFIGMAP_GENERATOR_ID httpd_configmap_generator ipa \
    --host=appliance.example.com        \
    --ipa-server=ipaserver.example.com  \
    --ipa-domain=example.com            \
    --ipa-realm=EXAMPLE.COM             \
    --ipa-principal=admin               \
    --ipa-password=smartvm1             \
    -o /tmp/external-ipa.yaml

--host above must be the DNS of the application exposing the httpd auth pod,

i.e. ${APPLICATION_DOMAIN}

Copying the new auth configmap back locally:

$ docker cp $CONFIGMAP_GENERATOR_ID:/tmp/external-ipa.yaml ./external-ipa.yaml

The new configmap can then be applied to the auth httpd pod and then redeployed to take effect:

$ oc replace configmaps httpd-auth-configs --filename ./external-ipa.yaml

Stopping the httpd_configmap_generator container

When completed with httpd_configmap_generator, the container can simply be stopped and/or removed:

$ docker stop $CONFIGMAP_GENERATOR_ID

$ docker rmi --force manageiq/httpd_configmap_generator:latest

Running with OpenShift

Pre-deployment tasks

The httpd-configmap-generator service account must be added to the httpd-scc-sysadmin SCC before the Httpd Configmap Generator can run.

As Admin

Create the httpd-scc-sysadmin SCC:

$ oc create -f templates/httpd-scc-sysadmin.yaml

Include the httpd-configmap-generator service account with the new SCC:

$ oc adm policy add-scc-to-user httpd-scc-sysadmin system:serviceaccount:<your-namespace>:httpd-configmap-generator

Verify that the httpd-configmap-generator service account is now included in the httpd-scc-sysadmin SCC:

$ oc describe scc httpd-scc-sysadmin | grep Users
Users:        system:serviceaccount:<your-namespace>:httpd-configmap-generator

Deploy the Httpd Configmap Generator Application

As basic user

$ oc create -f templates/httpd-configmap-generator-template.yaml

$ oc get templates
NAME                        DESCRIPTION                                 PARAMETERS     OBJECTS
httpd-configmap-generator   Httpd Configmap Generator                   6 (all set)    3

Deploy the Httpd Configmap Generator

$ oc new-app --template=httpd-configmap-generator

Check the readiness of the Httpd Configmap Generator

$ oc get pods
NAME                                READY     STATUS    RESTARTS   AGE
httpd-configmap-generator-1-txc34   1/1       Running   0          1h

Getting the POD Name

For working with the httpd_configmap_generator script in the httpd-configmap-generator pod, it is necessary to get the pod name reference below:

$ CONFIGMAP_GENERATOR_POD=`oc get pods | grep "httpd-configmap-generator" | cut -f1 -d" "`

Generating a configmap for external authentication against IPA

$ oc exec $CONFIGMAP_GENERATOR_POD  -- bash -c 'httpd_configmap_generator ipa ...

Example configuration:

$ oc exec $CONFIGMAP_GENERATOR_POD -- bash -c 'httpd_configmap_generator ipa \
    --host=appliance.example.com        \
    --ipa-server=ipaserver.example.com  \
    --ipa-domain=example.com            \
    --ipa-realm=EXAMPLE.COM             \
    --ipa-principal=admin               \
    --ipa-password=smartvm1             \
    -o /tmp/external-ipa.yaml'

--host above must be the DNS of the application exposing the httpd auth pod,

i.e. ${APPLICATION_DOMAIN}

Copying the new auth configmap back locally:

$ oc cp $CONFIGMAP_GENERATOR_POD:/tmp/external-ipa.yaml ./external-ipa.yaml

The new configmap can then be applied to the auth httpd pod and then redeployed to take effect:

$ oc replace configmaps httpd-auth-configs --filename ./external-ipa.yaml

To generate a new auth configuration map it is recommended to redeploy the httpd_configmap_generator pod first to get a clean environment before running the httpd_configmap_generator tool.

When done generating an auth-configmap, the httpd_configmap_generator pod can simply be scaled down:

$ oc scale dc httpd-configmap-generator --replicas=0

or deleted if no longer needed:

$ oc delete all  -l app=httpd-configmap-generator
$ oc delete pods -l app=httpd-configmap-generator

httpd_configmap_generator's People

Contributors

abellotti avatar agrare avatar bdunne avatar carbonin avatar chessbyte avatar d-m-u avatar fryguy avatar gtanzillo avatar izapolsk avatar jrafanie avatar jvlcek avatar kbrock avatar mend-bolt-for-github[bot] avatar nicklamuro avatar renovate[bot] avatar rickr avatar simaishi avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

abellotti chessbyte simaishi jvlcek fryguy jprause izapolsk jrafanie nicklamuro juliancheal carbonin bdunne d-m-u vatson112 dthadi3 rickr isabella232

httpd_configmap_generator's Issues

Question about changing EnableSendfile to On?

Thanks for providing the container!
I am doing a research aiming at finding issues in configuration files. After pulling the image we notice that EnableSendfile is set to on in /etc/httpd/conf/httpd.conf, whose default is Off.

However, the HttpD official document recommends to set EnableSendfile to Off to avoid operational problems when:

  • Some platforms may have broken sendfile support that the build system did not detect, especially if the binaries were built on another box and moved to such a machine with broken sendfile support.
  • On Linux the use of sendfile triggers TCP-checksum offloading bugs on certain networking cards when using IPv6.
  • On Linux on Itanium, sendfile may be unable to handle files over 2GB in size.
  • With a network-mounted DocumentRoot (e.g., NFS, SMB, CIFS, FUSE), the kernel may be unable to serve the network file through its own cache.

Shall we set EnableSendfile back to off as default?

CVE-2022-44571 (High) detected in rack-2.2.3.gem

CVE-2022-44571 - High Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

Publish Date: 2023-02-09

URL: CVE-2022-44571

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-93pm-5p5f-3ghx

Release Date: 2023-02-09

Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1

Step up your Open Source Security Game with Mend here

CVE-2022-44570 (High) detected in rack-2.2.3.gem

CVE-2022-44570 - High Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.

Publish Date: 2023-02-09

URL: CVE-2022-44570

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-65f5-mfpf-vfhj

Release Date: 2023-02-09

Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1

Step up your Open Source Security Game with Mend here

CVE-2024-26141 (Medium) detected in rack-2.2.3.gem

CVE-2024-26141 - Medium Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

Publish Date: 2024-02-29

URL: CVE-2024-26141

CVSS 3 Score Details (5.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26141

Release Date: 2024-02-29

Fix Resolution: rack - 2.2.8.1,3.0.9.1

Step up your Open Source Security Game with Mend here

docker build is failing with "/bin/sh: gem: command not found" error

Steps
git clone https://github.com/ManageIQ/httpd_configmap_generator
cd httpd_configmap_generator
docker build . -t manageiq/httpd_configmap_generator:latest

Error
Step 6/6 : RUN gem install --no-ri --no-rdoc --no-document httpd_configmap_generator
---> Running in 3e8dd6007819
/bin/sh: gem: command not found
The command '/bin/sh -c gem install --no-ri --no-rdoc --no-document httpd_configmap_generator' returned a non-zero code: 127

Note
This fails on x86_64 and ppc64le alike

Proposed solution
Install ruby-devel in the image

Dependency error running container manageiq/httpd_configmap_generator:latest

How to reproduce

docker run -d  --privileged manageiq/httpd_configmap_generator:latest
CONFIGMAP_GENERATOR_ID="`docker ps -l -q`"
docker exec -it $CONFIGMAP_GENERATOR_ID /bin/bash -i

[root@db919d051ca1 httpd]# httpd_configmap_generator ipa

Running the httpd_configmap_generator always gives a error

Could not find gem 'codeclimate-test-reporter (~> 1.0.0)' in any of the gem sources listed in your Gemfile.
Run `bundle install` to install missing gems.

httpd-config-generator fails during ipa configuration generation

When I try to generate ipa configuration using latest docker I get the following error:

[root@cfme-smicro-628-b09 cfme-59018-0126]# docker exec $CONFIGMAP_GENERATOR_ID httpd_configmap_generator ipa --host=xz3tto.*** --ipa-server=env-freeipa01.*** --ipa-domain=freeipa01.*** --ipa-realm=freeipa01.*** --ipa-principal=admin --ipa-password=*** -f -d -o /tmp/external-ipa.yaml
Running Command: /usr/bin/hostname
Running Command: /usr/bin/hostname --params xz3tto.***
Running Command: /usr/sbin/ipa-client-install --params -N force_join fixed_primary unattended realm\= FREEIPA01.*** domain\= freeipa01.*** server\= env-freeipa01.*** principal\= admin password\= ***
Configuring IPA HTTP Service
Running Command: /usr/bin/kinit --params admin --stdin-data ***
Command Error: /usr/bin/ipa exit code: 2
stdout:
stderr: ipa: ERROR: The host 'xz3tto.***' does not exist to add a service to.
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/awesome_spawn-1.4.1/lib/awesome_spawn.rb:105:in `run!': /usr/bin/ipa exit code: 2 (AwesomeSpawn::CommandResultError)
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/lib/httpd_configmap_generator/base/command.rb:17:in `command_run!'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/lib/httpd_configmap_generator/base/principal.rb:30:in `request'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/lib/httpd_configmap_generator/base/principal.rb:19:in `register'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/lib/httpd_configmap_generator/ipa.rb:115:in `configure_ipa_http_service'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/lib/httpd_configmap_generator/ipa.rb:63:in `configure'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/lib/httpd_configmap_generator/base.rb:83:in `run_configure'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/bin/httpd_configmap_generator:68:in `run'
        from /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/httpd_configmap_generator-0.2.1/bin/httpd_configmap_generator:87:in `<top (required)>'
        from /opt/rubies/ruby-2.3.1/bin/httpd_configmap_generator:23:in `load'
        from /opt/rubies/ruby-2.3.1/bin/httpd_configmap_generator:23:in `<main>'

When I open shell in docker and run kinit + ipa host-add + ipa service-add manually, next attempt to run httpd_configmap_generator finishes successfully.

CVE-2023-22796 (High) detected in activesupport-6.1.4.1.gem

CVE-2023-22796 - High Severity Vulnerability

Vulnerable Library - activesupport-6.1.4.1.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.1.4.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-6.1.4.1.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • more_core_extensions-3.8.0.gem
      • activesupport-6.1.4.1.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

Step up your Open Source Security Game with Mend here

CVE-2024-25126 (Medium) detected in rack-2.2.3.gem

CVE-2024-25126 - Medium Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

Publish Date: 2024-02-29

URL: CVE-2024-25126

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-22f2-v57c-j9cx

Release Date: 2024-02-29

Fix Resolution: rack - 2.2.8.1,3.0.9.1

Step up your Open Source Security Game with Mend here

CVE-2023-27530 (High) detected in rack-2.2.3.gem

CVE-2023-27530 - High Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

Publish Date: 2023-03-10

URL: CVE-2023-27530

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-03-10

Fix Resolution: rack - 2.0.9.3,2.1.4.3,2.2.6.3,3.0.4.2

Step up your Open Source Security Game with Mend here

CVE-2023-27539 (High) detected in rack-2.2.3.gem

CVE-2023-27539 - High Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. The issue is fixed versions 2.2.6.4 and 3.0.6.1

Publish Date: 2023-03-03

URL: CVE-2023-27539

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466

Release Date: 2023-03-03

Fix Resolution: rack - 2.2.6.4,3.0.6.1

Step up your Open Source Security Game with Mend here

CVE-2024-35176 (Medium) detected in rexml-3.2.5.gem

CVE-2024-35176 - Medium Severity Vulnerability

Vulnerable Library - rexml-3.2.5.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.2.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rexml-3.2.5.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-performance-1.11.5.gem
      • rubocop-1.22.1.gem
        • rexml-3.2.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many <s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

Publish Date: 2024-05-16

URL: CVE-2024-35176

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vg3r-rm7w-2xgh

Release Date: 2024-05-16

Fix Resolution: rexml - 3.2.7

Step up your Open Source Security Game with Mend here

Change the value of AuthnCacheContext?

Thanks for providing the container! I have a question about one httpd config:AuthnCacheContext.
It seems the official document recommends to change the default directory, which is conservative and not optimal. A better policy is to name the AuthnCacheContext for the password provider: for example a htpasswd file or database table.

Maybe it's better to set that to specify a context string for use in the cache keyin the comfig file? Thanks.

CVE-2023-38037 (Medium) detected in activesupport-6.1.4.1.gem

CVE-2023-38037 - Medium Severity Vulnerability

Vulnerable Library - activesupport-6.1.4.1.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.1.4.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-6.1.4.1.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • more_core_extensions-3.8.0.gem
      • activesupport-6.1.4.1.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Active Support Possibly Discloses Locally Encrypted Files

Publish Date: 2023-07-12

URL: CVE-2023-38037

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cr5q-6q9f-rq6q

Release Date: 2023-07-12

Fix Resolution: activesupport - 6.1.7.5,7.0.7.1

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

bundler
Gemfile
dockerfile
Dockerfile
  • Check this box to trigger a request for Renovate to run again on this repository

CVE-2024-26146 (Medium) detected in rack-2.2.3.gem

CVE-2024-26146 - Medium Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

Publish Date: 2024-02-29

URL: CVE-2024-26146

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26146

Release Date: 2024-02-29

Fix Resolution: rack - 2.0.9.4,2.1.4.4,2.2.8.1,3.0.9.1

Step up your Open Source Security Game with Mend here

Change default value of SSLSessionCache to **shmcb** for better performance?

In your configuration file, I notice that you do not change the default value of SSLSessionCache, which is none. The HTTP server official document says "This will incur a noticeable speed penalty and may cause problems if using certain browsers, particularly if client certificates are enabled. This setting is not recommended."

And the document recommends to set SSLSessionCache to shmcb:/path/to/datafile[(size)], for better performance. "This is the recommended session cache."

I wonder if the default need to be changed for performance concern. Thanks.

CVE-2022-30123 (Critical) detected in rack-2.2.3.gem

CVE-2022-30123 - Critical Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

Publish Date: 2022-12-05

URL: CVE-2022-30123

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wq4h-7r42-5hrr

Release Date: 2022-12-05

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

Step up your Open Source Security Game with Mend here

Leverage IniParse

As we add support for Active Directory and Ldap, the sssd.conf file manipulation are getting more involved, we need to leverage IniParse to help us better manage that conf file.

CVE-2022-30122 (High) detected in rack-2.2.3.gem

CVE-2022-30122 - High Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.

Publish Date: 2022-12-05

URL: CVE-2022-30122

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hxqx-xwvh-44m2

Release Date: 2022-12-05

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

Step up your Open Source Security Game with Mend here

CVE-2022-44572 (High) detected in rack-2.2.3.gem

CVE-2022-44572 - High Severity Vulnerability

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • manageiq-style-1.3.1.gem (Root Library)
    • rubocop-rails-2.12.2.gem
      • rack-2.2.3.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Publish Date: 2023-02-09

URL: CVE-2022-44572

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rqv2-275x-2jq5

Release Date: 2023-02-09

Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.