Circumvention of attr_protected, Serialized Attributes YAML Vulnerability, Denial of Service and Unsafe Object Creation Vulnerability in JSON and Rails. This security update contains the following sections:
- Issue - 3 security vulnerabilities summarized.
- Solution - the recommended solution for most cases.
- Workaround - alternatives in case you cannot upgrade now or have older versions.
- FAQs - frequently asked questions.
- More information - helpful links related to these security vulnerabilities.
Issue
A set of security vulnerabilities were released February 11th, 2013:
Denial of Service and Unsafe Object Creation Vulnerability in JSON
There is a denial of service and unsafe object creation vulnerability in the JSON gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269.
Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX.
Not affected: NONE
Fixed Versions: 1.7.7, 1.6.8, 1.5.5
Circumvention of attr_protected
There is a vulnerability in the attr_protected method in ActiveRecord. This vulnerability has been assigned the CVE identifier CVE-2013-0276.
Versions Affected: All.
Not affected: Applications using attr_accessible.
Fixed Versions: 3.2.12, 3.1.11, 2.3.17
Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0
There is a vulnerability in the serialized attribute handling code in Ruby on Rails 2.3 and 3.0 applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. This vulnerability has been assigned the CVE identifier CVE-2013-0277.
Versions Affected: 2.3.x, 3.0.x and all earlier versions
Not affected: 3.1.0 and above
Fixed Versions: 2.3.17
Solution
Recommended solution (for Rails 2.3.x, 3.1.x, 3.2.x with Bundler):
- Upgrade to latest cookbook (February 12th Hotfix).
- Update your Gemfile.
- Ensure your Rails version is 3.2.12, 3.1.11, or 2.3.17 in Gemfile. Example:
gem 'rails', '<version>'
- Ensure version of JSON (or json_pure) that does not have the vulnerability (1.7.7, 1.6.8 or 1.5.5, or greater). Example:
gem 'json', '~>1.7.7'
Note: We understand that you may not be able to upgrade your cookbooks (or choose not to do so) at this time. Or, you may not be using Bundler. In these cases, implement one of the workarounds described in the next section.
Workaround
Non-Bundler apps
1) Update your gem versions on the dashboard.
2a) If you are using Ruby 1.9.x:
- The best solution is update cookbooks to get the new version of Ruby without vulnerable JSON in stdlib.
- Alternatively, you need to use the gem command in your code to select it prior to requiring it. Example:
require 'rubygems' gem 'json', '~> 1.7.7' require 'json'
2b) If you’re using Ruby 1.8.x, no cookbook upgrade is necessary.
3) Deploy your app.
Rails 3.0 apps
- Ruby on Rails 3.0 trunk is officially End-of-Life, and as such, will not be patched. From http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
"Please note that per our maintenance policy there will be no 3.0.x version released."
- We recommend upgrading to Rails 3.1. You can convert the app to Rails 3.1 in many cases without much difficulty. See "Upgrading to Rails 3.1" for more information: http://asciicasts.com/episodes/282-upgrading-to-rails-3-1 (http://railscasts.com/episodes/282-upgrading-to-rails-3-1)
- If you must stay on Rails 3.0, you can get partial coverage by updating to Rails 3.0.19 and updating JSON (or json_pure) in your Gemfile to ~> 1.7.7, 1.6.8, or 1.5.5 and looking at the workarounds listed in the original posts listed in the More Information section below.
Using Bundler but cannot upgrade cookbooks now
- It is sufficient to explicitly state a fixed version of Rails and JSON (or json_pure) in your Gemfile and redeploy your app as per the recommended instructions; just be sure to run everything using Bundler to prevent the stdlib version of JSON that is shipped with Ruby 1.9.3 from accidently being used.
Important: Upgrading Rails is recommended because it also takes care of vulnerabilities covered in CVE-2012-5664 and CVE-2013-156, which were released in January, 2013.
Rails 2.3.x
Important: If you are still on Rails 2.3.x, even though there was a patch provided for this issue, it is officially End-of-Life. We highly recommend that you pursue activities to upgrade to Rails 3.2.
FAQs
How can I tell which versions I have now?
You can verify the versions you are using with:
machine user$ bundle list rails ; bundle list json ; bundle list json_pure /path/to/gems/rails-3.2.12 /path/to//gems/json-1.7.7 Could not find gem 'json_pure' in the current bundle. machine user$
This will show you what versions of the gems are in your current bundle. Rails does not hardcode JSON versions so you should be able to move to 1.7.7 or stay on the current minor release.
If your are still not using Bundler you can check with:
machine user$ gem list rails ; gem list json ; gem list json_pure *** LOCAL GEMS *** rails (2.3.14) *** LOCAL GEMS *** json (1.7.6) *** LOCAL GEMS *** machine user$
Note: If you don’t specify gem 'json', it will use the stdlib version; you can check this via irb:
irb> require 'json' irb> JSON::VERSION 1.5.4
More information
| For more information about ... | See ... |
|---|---|
|
Denial of Service and Unsafe Object Creation Vulnerability in JSON |
CVE-2013-0269 |
|
Circumvention of attr_protected |
|
|
Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 |
|
|
Hotfix for Engine Yard cookbooks - for vulnerabilities above |
If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.
Comments
Please sign in to leave a comment.