Posts

Ruby on Rails patched to 3.2.13, 3.1.12, and 2.3.1

There are new versions of ruby on rails released, and the version you are running should be updated as soon as possible to avoid malicious users exploiting one or more of known vulnerabilities that are fixed in these releases.

Information from the Rails team:

Hi everyone!

Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These releases contain important security fixes. It is recommended users upgrade as soon as possible.

Please check out these links for the security fixes:

CVE-2013-1854 Symbol DoS vulnerability in Active Record
CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails

Source: http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/

High risk Ruby on Rails vulnerability

Most users tend to run Ruby on Rails 3.2 these days, but some still run Rails 3.0 or 2.3.
Those who do can not update their application to run Rails 3.2 and need to run Rails 3.0 or 2.3 are strongly advised to update their Rails to 3.0.20 or 2.3.16.

To quote the authors of rails;
“I’d like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fix so please update IMMEDIATELY.”

“Impact
– ——
The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing
backends. One of the backends involves transforming the JSON into
YAML, and passing that through the YAML parser. Using a specially
crafted payload attackers can trick the backend into decoding a subset
of YAML. ”

More information:
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo

Ruby on Rails Vulnerability

On January 8th, Aaron Patterson announced CVE-2013-0156, multiple vulnerabilities in parameter parsing in Action Pack allowing attackers to:
Bypass Authentication systems
Inject Arbitrary SQL
Perform a Denial of Service (DoS)
Execute arbitrary code

That means that anyone running Ruby on Rails is advised to update to the latest version, as not doing so could lead to a compromise.

More information:
http://weblog.rubyonrails.org/
http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html