January 2nd, 2013 (updated): SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

Updated: January 8th, 2012

A security vulnerability was released on January 2nd, 2013 that affects all versions of Rails.

The best solution will be to upgrade to the newest Rails version, 3.2.10, 3.1.9, or 3.0.18. You can simply deploy and all your instances will be fixed.

UPDATE: Please update to the newer 3.2.11, 3.1.10, 3.0.19, or 2.3.15, which covers both this issue (CVE-2012-5664) and the newer CVE-2013-0156 XML security issue.

Workaround

If you are unable to bump your Rails version immediately, a workaround is available:

The issue can be mitigated by explicitly converting the parameter to an expected value. For example, change this:

Post.find_by_id(params[:id])

to this:

Post.find_by_id(params[:id].to_s)

You can also manually patch the Rails gem, however, we do not recommend this, as deploying the solution can be very difficult. Engine Yard Cloud instances do not have shared file systems so you would need to locate the [Activerecord_Gem_Location]/activerecord/lib/active_record/base.rb file and patch it on every server on every update and deploy. You can try and use a vendored Rails [http://gembundler.com/bundle_install.html] and put patched gems in vendor/cache, but we suggest you manually verify your application is using the vendored Rails after it is deployed.

From the Rails team:

"Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases."

Engine Yard Cloud customers:

If you are using Rails 3.x or higher, your solutions are:

  1. Upgrade your Rails versions in your Gemfile and deploy.
  2. Patch lines like Post.find_by_id(params[:id]) in your code to Post.find_by_id(params[:id].to_s) and deploy.

If you are using Rails 2.x, your solutions are:

  1. Patch lines like Post.find_by_id(params[:id]) in your code to Post.find_by_id(params[:id].to_s) and deploy.
  2. Upgrade to Rails 3.

Important: The Chef code to try and patch the installed Rails is complex enough we strongly suggest against it.

UPDATE: The Rails team released 2.3.15 for CVE-2013-0156, which includes the patch for this issue (CVE-2012-5664).

Managed Customers:

If you are using Rails 3.x or higher, your solutions are:

  1. Upgrade your Rails versions in your Gemfile and deploy.
  2. Patch lines like Post.find_by_id(params[:id]) in your code to Post.find_by_id(params[:id].to_s) and deploy.
  3. Contact Engine Yard Support to manually patch your installed Rails.

If you are using Rails 2.x, your solution is:

  1. Patch lines like Post.find_by_id(params[:id]) in your code to Post.find_by_id(params[:id].to_s) and deploy.
  2. Upgrade to Rails 3.
  3. Contact Engine Yard Support to manually patch your installed Rails.

UPDATE: The Rails team released 2.3.15 for CVE-2013-0156, which includes the patch for this issue (CVE-2012-5664).

More information

More details are available in https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM


If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Comments

  • Avatar
    satish viswanatham

    How about instances of Post.find(params[:id])?

    0
    Comment actions Permalink
  • Avatar
    Daniel Vu

    Satish: #find should be ok and only #find_by_<x> was found vulnerable   

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk