Systemwalker Resource Coordinator Virtual server Edition/ ServerView Resource Coordinator/ ServerView Resource Orchestrator: Ruby on Rails security vulnarability(CVE-2013-0156). March 20th, 2014

Notes on using this web page

1. Description

Recently, the security vulnerability CVE-2013-0156(note1) has been discovered in Ruby on Rails. Ruby on Rails is included in the following Fujitsu software.

• Systemwalker Resource Coordinator Virtual server Edition (hereinafter SWRC-VE)
• ServerView Resource Coordinator (hereinafter RCVE)
• ServerView Resource Orchestrator (hereinafter ROR)

note1) Ruby on Rails CVE-2013-0156 vulnerability allows attackers to execute an arbitrary code on an http server.

Fujitsu has released a workaround method as explained in "3-3. Workaround". Please perform the workaround as soon as possible.

2. Impact

This vulnerability allows an attacker to execute arbitrary code on SWRC-VE/ RCVE/ ROR manager server via internet connection. The attacker can send malicious code through http request to the SWRC-VE/ RCVE/ ROR manager server and cause SWRC-VE/ RCVE/ ROR manager service to stop. This can cause SWRC-VE/ CVE/ ROR to unable to function properly.

For the severity assessment of this vulnerability, refer to the information released by MITRE corporation as described at "4. Related information".

3. Affected systems and corresponding action

3-1. Affected systems:

PRIMERGY

3-2. Affected products and required patch

[Note]
For the solution, please refer to the following "3-3. Workaround" at this time.

Remark:
Supported target OS are as below.

• Windows
  Supported Windows editions and versions are :
  • Windows Server 2012 Standard
  • Windows Server 2012 Datacenter
  • Windows Server 2008 Standard (x86, x64)
  • Windows Server 2008 Enterprise (x86, x64)
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2003 R2, Standard Edition (x86, x64)
  • Windows Server 2003 R2, Enterprise Edition (x86, x64)
• Linux
  Supported Linux versions are :
  • Red Hat Enterprise Linux 6.2 (x86, Intel64)
  • Red Hat Enterprise Linux 6.1 (x86, Intel64)
  • Red Hat Enterprise Linux 6 (x86, Intel64)
  • Red Hat Enterprise Linux 5.8 (x86, Intel64)
  • Red Hat Enterprise Linux 5.7 (x86, Intel64)
  • Red Hat Enterprise Linux 5.6 (x86, Intel64)
  • Red Hat Enterprise Linux 5.5 (x86, Intel64)
  • Red Hat Enterprise Linux 5.4 (x86, Intel64)
  • Red Hat Enterprise Linux 5.3 (x86, Intel64)

Note that supported OS edition or version differs based on SWRC-VE/ RCVE/ ROR version. Please refer to the SWRC-VE/ RCVE/ ROR manual for the supported OS.

Note: Determining the affected product

• In Windows
  • In case of Windows Server 2003:
    1. Click "Start" button and select "Control Panel", then select "Add or Remove Programs".
    2. At "Add or Remove Programs" windows, check if one of the following software is installed.
       • >
       • Systemwalker Resource Coordinator Virtual server Edition Manager
       • ServerView Resource Coordinator VE Manager
       • ServerView Resource Orchestrator Manager
       If none of the above software appears on the list, the affected product is not installed, hence no need to proceed to the next step.
    3. Select the software at the previous step and Click the link "Click here for support information.". Then "Support Info" window will appear.
    4. At "Support Info" windows, check the "Version".
       If the installed version matches with one of the products listed at section "3-2", then the installed product contains the vulnerability.
  • In case of Windows Server 2008/ Windows Server 2012:
    1. Click "Start" button and select "Control Panel", then click "Program and Features".
    2. At "Program and Features" window, check if one of the following software is installed.
       • ServerView Resource Coordinator VE Manager
       • ServerView Resource Orchestrator Manager
       If none of the above software appears on the list, the affected product is not installed, hence no need to proceed to the next step.
    3. Select the software at the previous step and software info will be displayed at the bottom of "Program and Features" window.
    4. Check if the installed version matches with one of the products listed at section "3-2", then the installed product contains the vulnerability.
• In Linux
  1. Open a terminal
  2. Check if RCVE/ ROR is installed by executing the following command.
     #/bin/rpm -qi FJSVrcvmr
  3. Check "Version" info from the output of the command executed at the previous step.
     If the "Version" matches one of the products listed at section "3-2", then the installed product contains the vulnerability.

3-3. Workaround

• In Windows
  1. Login to SWRC-VE/ RCVE/ ROR manager server as Administrator or user account with admin privilege.
  2. Open Windows Explorer and move to the following directory.
     < SWRC-VE/ RCVE/ ROR installation path > \Manager\rails\config\initializers
     Note : < SWRC-VE/ RCVE/ ROR installation path > is the path to SWRC-VE/ RCVE/ ROR installation directory.
  3. Check if "CVE-2013-0156.rb" file exists or not.
     1. If "CVE-2013-0156.rb" file exists, then the workaround method has already been performed, hence no need to proceed to the next step.
     2. If "CVE-2013-0156.rb" file does not exist, create the file using text editor, and add the following 2 lines into the file.
        ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
        ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
  4. Open a command prompt and restart SWRC-VE/ RCVE/ ROR manager service by executing the following command.
     < SWRC-VE/ RCVE/ ROR Installation path >\SVROR\Manager\bin\rcxmgrctl stop
     < SWRC-VE /RCVE /ROR Installation path >\SVROR\Manager\bin\rcxmgrctl start
• In Linux
  1. Login to RCVE/ ROR manager server as root user.
  2. Open a terminal and change directory to /opt/FJSVrcvmr/rails/config/initializers/
     #cd /opt/FJSVrcvmr/rails/config/initializers/
  3. Check if "CVE-2013-0156.rb" file exists under the directory.
     #ls -l CVE-2013-0156.rb
     1. If the file exists, the workaround has already been performed. Hence no need to proceed to the next step.
     2. If the file does not exist, create CVE-2013-0156.rb and add the following 2 lines into the file.
        ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
        ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
        Below is an example of adding the 2 lines above using echo command.
        #echo "ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete ('symbol')" &gt;&gt; CVE-2013-0156.rb
        #echo "ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')" &gt;&gt; CVE-2013-0156.rb
  4. Restart RCVE/ ROR manager service by executing the following command.
     #/opt/FJSVrcvmr/bin/rcxmgrctl stop
     #/opt/FJSVrcvmr/bin/rcxmgrctl start
  Note: Workaround method does not affect SWRC-VE/ RCVE/ ROR functionality.

4. Related information

• Ruby on Rails security vulnerabilities (CVE-2013-0156)
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156

5. Revision history

• March 20th, 2014: 2nd release
  • Updating "3-2. Affected products and required patch"
    • New product versions are added
    • Product names are updated
    • Released patches are added to Patch ID
    • In the "Remark" supported OSes are updated
    • In the "Note: Determining the affected product" installed software that need to be checked are added
• March 13th, 2013: Initial release