CVE-2013-2095 – CVE-2013-2095 is a command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2013-2095?

CVE-2013-2095 has a CVSS score of 9.8 (CRITICAL). CVE-2013-2095 is a command injection vulnerability in the rubygem-openshift-origin-controller API that allows attackers to execute arbitrary commands on the server. The vulnerability occurs through improper input validation in cartridge_cache.rb's URI.parse() function when creating applications. This affects OpenShift Origin deployments using vulnerable versions of the controller gem.

📋 TL;DR

CVE-2013-2095 is a command injection vulnerability in the rubygem-openshift-origin-controller API that allows attackers to execute arbitrary commands on the server. The vulnerability occurs through improper input validation in cartridge_cache.rb's URI.parse() function when creating applications. This affects OpenShift Origin deployments using vulnerable versions of the controller gem.

💻 Affected Systems

Products:

rubygem-openshift-origin-controller
OpenShift Origin

Versions: Versions prior to 1.16.1.5

Operating Systems: Linux distributions running OpenShift Origin

Default Config Vulnerable: ⚠️ Yes

Notes: Affects OpenShift Origin deployments using the vulnerable controller gem. OpenShift Enterprise may also be affected depending on version.

📦 What is this software?

Openshift Origin Controller by Openshift Origin Controller Project

View all CVEs affecting Openshift Origin Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution with root privileges, enabling data theft, service disruption, and lateral movement within the infrastructure.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential privilege escalation within the OpenShift environment.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege principles, potentially only affecting isolated containers.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via the API which is typically exposed to users.

🏢 Internal Only: HIGH - Even internal APIs can be targeted by authenticated users or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access but the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.16.1.5 and later

Vendor Advisory: https://access.redhat.com/security/cve/cve-2013-2095

Restart Required: Yes

Instructions:

1. Update rubygem-openshift-origin-controller to version 1.16.1.5 or later using 'gem update rubygem-openshift-origin-controller'. 2. Restart OpenShift Origin services. 3. Verify the fix by checking the gem version.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for API parameters before they reach the vulnerable URI.parse() function.

# Add input validation in application code before calling vulnerable functions
# Example: validate and sanitize all user-provided URI parameters

Network Segmentation

linux

Restrict API access to trusted networks only using firewall rules.

iptables -A INPUT -p tcp --dport <api_port> -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport <api_port> -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit API exposure to only necessary users and systems.
Deploy web application firewall (WAF) rules to detect and block command injection attempts in API requests.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of rubygem-openshift-origin-controller: 'gem list | grep openshift-origin-controller'

Check Version:

gem list | grep openshift-origin-controller

Verify Fix Applied:

Verify the gem version is 1.16.1.5 or higher: 'gem list | grep openshift-origin-controller' and confirm version >= 1.16.1.5

📡 Detection & Monitoring

Log Indicators:

Unusual API requests with shell metacharacters in parameters
Failed authentication attempts followed by API exploitation attempts
Commands executed from OpenShift controller processes

Network Indicators:

API requests containing shell commands or special characters in URI parameters
Outbound connections from OpenShift controller to unexpected destinations

SIEM Query:

source="openshift-controller.log" AND ("URI.parse" OR "cartridge_cache" OR "|" OR ";" OR "$" OR "`" OR "(")

📊 Metadata

CVE ID: CVE-2013-2095

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: December 10, 2019

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/security/cve/cve-2013-2095 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2095 Exploit,Issue Tracking,Third Party Advisory
https://access.redhat.com/security/cve/cve-2013-2095 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2095 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-2095, you might also want to check these: