January 8th, 2013: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

A security vulnerability was released on January 8th, 2013 that affects all versions of Rails.

The best solution will be to upgrade to the newest Rails version, 3.2.11, 3.1.10, 3.0.19 or 2.3.15. You can simply deploy and all your instances will be fixed. These versions also include the fix to CVE-2012-5664 described in January 2nd, 2013: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

The parser code in affected versions of Rails allows injection of YAML and Symbols in XML data. This issue is critical due to the nature of the vulnerability. We strongly recommend that your development team review the original document for the full description of the issue: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion 

Workaround

If you are unable to bump your Rails version immediately, workarounds are available:

Disable XML entirely:

In Rails 3.x you may be able to just use an initializer.

echo "ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)" > 
config/initializers/CVE-2013-0156.rb

For Rails 2.3.x

echo "ActionController::Base.param_parsers.delete(Mime::XML)" > 
config/initializers/CVE-2013-0156.rb

If you need XML:

You can disable the YAML and Symbol parsing by using the following lines instead:

For Rails 3.x:

ActiveSupport::XmlMini::PARSING.delete("symbol") 
ActiveSupport::XmlMini::PARSING.delete("yaml")

For Rails 2.3.x:

ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol') 
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')

Please remember to also patch your app for CVE-2012-5664.

From the Rails team:

"Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases."

Engine Yard Cloud customers:

If you are using Rails 3.x or higher, or 2.3.x, your solutions are:

  1. Upgrade your Rails versions in your Gemfile and deploy.
  2. Disable XML entirely in your app or remove YAML and Symbol support from the XML Parser.

If you are using Rails 2.2.x or lower, your solutions are:

  1. Upgrade to a corrected version of Rails (2.3.15, 3.0.19, 3.1.10 or 3.2.11).

Important: The Chef code to try and patch the installed Rails is complex enough we strongly suggest against it.

Managed Customers:

If you are using Rails 3.x or higher, or 2.3.x, your solutions are:

  1. Upgrade your Rails versions in your Gemfile and deploy.
  2. Disable XML entirely in your app or remove YAML and Symbol support from the XML Parser.
  3. Contact Engine Yard Support to manually patch your installed Rails.

If you are using Rails 2.2.x or lower, your solution is:

  1. Upgrade to corrected version of Rails (2.3.15, 3.0.19, 3.1.10 or 3.2.11).
  2. Disable XML entirely in your app or remove YAML and Symbol support from the XML Parser.

More information

More details are available in https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Comments

Please sign in to leave a comment.