The ManageIQ team is aware of a vulnerability in rest-client introduced by a compromised account of one of the rest-client maintainers.

This vulnerability has been assigned CVE-2019-15224, at this point the only known version of rest-client that is impacted is 1.6.13. This version has been yanked from rubygems.org and is no longer able to be installed.

All versions of ManageIQ going back to botvinnik-1 have used rest-client 2.0.0 and are not impacted by this vulnerability. ManageIQ anand (Aug 2014) used rest-client 1.6.* and it is recommended that anyone using this version upgrade immediately to a supported version.

To summarize, no released versions of ManageIQ are impacted by this vulnerability.

If you are a developer it is recommended that you check the versions of rest-client that you have installed. You can check the version of rest-client that ManageIQ is using by running bundle show rest-client from the main manageiq directory.

$ bundle show rest-client
/home/grare/adam/.gem/gems/rest-client-2.0.2

You should also check the versions of rest-client that you have installed on your system with gem list rest-client:

$ gem list rest-client

*** LOCAL GEMS ***

rest-client (2.0.2)

If you do have a compromised version of rest-client installed you should remove it immediately! You can do this by running gem uninstall rest-client --version '= 1.6.13'

You can get more information about the compromise from the rest-client issue: https://github.com/rest-client/rest-client/issues/713

For questions or support, join in on the talk page.

Thank you, The ManageIQ Team