Rails 3 Security Updates

6 views

Skip to first unread message

RyanonRails

unread,

Jan 14, 2013, 11:22:50 PM1/14/13

to ye...@googlegroups.com

Hey Everyone,

Make sure that you've updated your Rails versions due to multiple critical security vulnerabilities (CVE-2013-0155 and CVE-2013-0156)

https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ

We were able to execute remote code (create files, delete files, etc.) on some of our staging boxes via the exploit. I cannot express how critical these updates are.

On top of that now, thanks to @theDoug I was linked this url which notes that a bunch of gems also have the same vulnerability:

https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately

I've also heard word that Grape is vulnerable:

https://groups.google.com/forum/?fromgroups=#!topic/ruby-grape/qX38Iy1Bwo8

So make sure to update the above gems. If anyone hears of any other gems feel free to reply to this.

A minor note, @nathany and @fzeisler mentioned to me (while at @exchangejs) that there are possible issues regarding json when upgrading to the patch level. So be aware of that. If either of you could elaborate on that it might help someone else on the thread.

If you're curious about the exploit themselves, here's a great detailed discussion (and POC):

http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html

And the metasploit scanner if you want to scan your servers: https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156

I'm not worried about linking to the above links as if you google the exploit numbers on http://weblog.rubyonrails.org/ you'll get end up at the same place.

Nathan Youngman

unread,

Jan 15, 2013, 12:38:26 AM1/15/13

to ye...@googlegroups.com

Thanks Ry,

The comments on 3.2.11 mentioned a regression with regards to JSON APIs and nils. There were a number of open issues, which you can find linked from:

https://github.com/rails/rails/issues/8831

It's quite possible that your JSON APIs aren't impacted and you can safely update to 3.2.11. On the other hand, the more critical security issues is CVE-2013-0156, which can be applied with an initializer like this: https://gist.github.com/4536371.

There is work on a solution for CVE-2013-0155 that allows nils to pass through params (for a JSON API that may expect nils to be preserved) and allows nils to be passed into ActiveRecord where clauses, but can avoid the combination of nil params passed through params allowing an attacker to access ActiveRecord data they should not be able to. As far as I follow, this solution will be part of strong_parameters (and therefore Rails 4).

https://github.com/rails/strong_parameters/issues/82

So if the regression in 3.2.11 causes issues for you, it may be a good time to look into strong parameters. There also appears to be a temporary workaround here:

https://github.com/rails/rails/pull/8870#issuecomment-12131668

Nathan.

--
Nathan Youngman
Email: n...@nathany.com
Web: http://www.nathany.com

Reply all

Reply to author

Forward

0 new messages