Security: February 11th, 2013: Rails and JSON Vulnerabilities

Circumvention of attr_protected, Serialized Attributes YAML Vulnerability, Denial of Service and Unsafe Object Creation Vulnerability in JSON and Rails. This security update contains the following sections:

  • Issue - 3 security vulnerabilities summarized.
  • Solution - the recommended solution for most cases.
  • Workaround - alternatives in case you cannot upgrade now or have older versions.
  • FAQs - frequently asked questions.
  • More information - helpful links related to these security vulnerabilities.

Issue

A set of security vulnerabilities were released February 11th, 2013:

Denial of Service and Unsafe Object Creation Vulnerability in JSON

There is a denial of service and unsafe object creation vulnerability in the JSON gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269.

Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX.

Not affected: NONE

Fixed Versions: 1.7.7, 1.6.8, 1.5.5

Circumvention of attr_protected

There is a vulnerability in the attr_protected method in ActiveRecord. This vulnerability has been assigned the CVE identifier CVE-2013-0276.

Versions Affected: All.

Not affected: Applications using attr_accessible.

Fixed Versions: 3.2.12, 3.1.11, 2.3.17

Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

There is a vulnerability in the serialized attribute handling code in Ruby on Rails 2.3 and 3.0 applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. This vulnerability has been assigned the CVE identifier CVE-2013-0277.

Versions Affected: 2.3.x, 3.0.x and all earlier versions

Not affected: 3.1.0 and above

Fixed Versions: 2.3.17

Solution

Recommended solution (for Rails 2.3.x, 3.1.x, 3.2.x with Bundler):

  1. Upgrade to latest cookbook (February 12th Hotfix).
  2. Update your Gemfile.
  • Ensure your Rails version is 3.2.12, 3.1.11, or 2.3.17 in Gemfile. Example:
    gem 'rails', '<version>'
  • Ensure version of JSON (or json_pure) that does not have the vulnerability (1.7.7, 1.6.8 or 1.5.5, or greater). Example:
    gem 'json', '~>1.7.7'
  • Bundle install and commit the updated Gemfile and Gemfile.lock to repo.
  • Deploy your app (test on staging first).
  • Note: We understand that you may not be able to upgrade your cookbooks (or choose not to do so) at this time. Or, you may not be using Bundler. In these cases, implement one of the workarounds described in the next section.

    Workaround

    Non-Bundler apps

    1) Update your gem versions on the dashboard.

    2a) If you are using Ruby 1.9.x:

    • The best solution is update cookbooks to get the new version of Ruby without vulnerable JSON in stdlib.
    • Alternatively, you need to use the gem command in your code to select it prior to requiring it.  Example:
      require 'rubygems'
      gem 'json', '~> 1.7.7'
      require 'json'
      

    2b) If you’re using Ruby 1.8.x, no cookbook upgrade is necessary.

    3) Deploy your app.

    Rails 3.0 apps

    Using Bundler but cannot upgrade cookbooks now

    • It is sufficient to explicitly state a fixed version of Rails and JSON (or json_pure) in your Gemfile and redeploy your app as per the recommended instructions; just be sure to run everything using Bundler to prevent the stdlib version of JSON that is shipped with Ruby 1.9.3 from accidently being used.

    Important: Upgrading Rails is recommended because it also takes care of vulnerabilities covered in CVE-2012-5664 and CVE-2013-156, which were released in January, 2013.

    Rails 2.3.x

    Important: If you are still on Rails 2.3.x, even though there was a patch provided for this issue, it is officially End-of-Life. We highly recommend that you pursue activities to upgrade to Rails 3.2.

    FAQs

    How can I tell which versions I have now?

    You can verify the versions you are using with:

    machine user$ bundle list rails ; bundle list json ; bundle list json_pure 
    /path/to/gems/rails-3.2.12
    /path/to//gems/json-1.7.7
    Could not find gem 'json_pure' in the current bundle.
    machine user$ 
    

    This will show you what versions of the gems are in your current bundle. Rails does not hardcode JSON versions so you should be able to move to 1.7.7 or stay on the current minor release.

    If your are still not using Bundler you can check with:

    machine user$ gem list rails ; gem list json ; gem list json_pure
    *** LOCAL GEMS ***
    rails (2.3.14)
    *** LOCAL GEMS ***
    json (1.7.6)
    *** LOCAL GEMS ***
    machine user$ 
    

    Note: If you don’t specify gem 'json', it will use the stdlib version; you can check this via irb:

    irb> require 'json'
    irb> JSON::VERSION
    1.5.4
    

    More information

    For more information about ... See ...

    Denial of Service and Unsafe Object Creation Vulnerability in JSON

    CVE-2013-0269

    Circumvention of attr_protected

    CVE-2013-0276

    Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

    CVE-2013-0277

    Hotfix for Engine Yard cookbooks - for vulnerabilities above

    February 2013 Release Notes


    If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

    Comments

    Please sign in to leave a comment.