Vulnerability in django (CVE-2012-4520)
Summary
vulnerability in django (CVE-2012-4520). Risk of unauthorized operations or information disclosure. Exploitable via `Host header`. Mitigation: upgrade to `9305c0e12d43c4df999c3301a1f0c742264a657e, b45c377f8f488955e0c7069cad3f3dd21910b071, 92d3430f12171f16f566c9050c40feefb830a4a3, 1.3.4, 1.4.2` or later.
AI summary snake-internal / snake-material-v2
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'django' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `django` を grep し、稼働しているサービス・バージョンを把握する。
-
6Apply patch patch
Upgrade django to 9305c0e12d43c4df999c3301a1f0c742264a657e, b45c377f8f488955e0c7069cad3f3dd21910b071, 92d3430f12171f16f566c9050c40feefb830a4a3, 1.3.4, 1.4.2ステージング環境で 9305c0e12d43c4df999c3301a1f0c742264a657e, b45c377f8f488955e0c7069cad3f3dd21910b071, 92d3430f12171f16f566c9050c40feefb830a4a3, 1.3.4, 1.4.2 に上げて回帰テスト → 本番反映。回帰テストはアプリの主要ハッピーパスと、Step 3 で見つけた異常検知の続報チェックを含めること。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
Affected packages
References
- advisory http://secunia.com/advisories/51314
- advisory http://secunia.com/advisories/51033
- advisory http://www.debian.org/security/2013/dsa-2634
- advisory https://github.com/advisories/GHSA-2655-q453-22f9
- patch https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
- patch https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
- patch https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
- report https://bugzilla.redhat.com/show_bug.cgi?id=865164
- web http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
- web http://www.osvdb.org/86493
- web https://www.djangoproject.com/weblog/2012/oct/17/security/
- web http://securitytracker.com/id?1027708
- web http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
- web http://www.openwall.com/lists/oss-security/2012/10/30/4
- web http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
- web http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
- web http://ubuntu.com/usn/usn-1632-1
- web http://ubuntu.com/usn/usn-1757-1