Engine Yard Developer Center

Security: February 11th, 2013: Rails and JSON Vulnerabilities

Circumvention of attr_protected, Serialized Attributes YAML Vulnerability, Denial of Service and Unsafe Object Creation Vulnerability in JSON and Rails. This security update contains the following sections:

  • Issue - 3 security vulnerabilities summarized.
  • Solution - the recommended solution for most cases.
  • Workaround - alternatives in case you cannot upgrade now or have older versions.
  • FAQs - frequently asked questions.
  • More information - helpful links related to these security vulnerabilities.

Issue

A set of security vulnerabilities were released February 11th, 2013:

Denial of Service and Unsafe Object Creation Vulnerability in JSON

There is a denial of service and unsafe object creation vulnerability in the JSON gem. This vulnerability has been assigned the CVE identifier CVE-2013-0269.

Versions Affected: All. This includes JSON that ships with Ruby 1.9.X-pXXX.

Not affected: NONE

Fixed Versions: 1.7.7, 1.6.8, 1.5.5

Circumvention of attr_protected

There is a vulnerability in the attr_protected method in ActiveRecord. This vulnerability has been assigned the CVE identifier CVE-2013-0276.

Versions Affected: All.

Not affected: Applications using attr_accessible.

Fixed Versions: 3.2.12, 3.1.11, 2.3.17

Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

There is a vulnerability in the serialized attribute handling code in Ruby on Rails 2.3 and 3.0 applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. This vulnerability has been assigned the CVE identifier CVE-2013-0277.

Versions Affected: 2.3.x, 3.0.x and all earlier versions

Not affected: 3.1.0 and above

Fixed Versions: 2.3.17

Solution

Recommended solution (for Rails 2.3.x, 3.1.x, 3.2.x with Bundler):

  1. Upgrade to latest cookbook (February 12th Hotfix).
  2. Update your Gemfile.
    • Ensure your Rails version is 3.2.12, 3.1.11, or 2.3.17 in Gemfile. Example:
      gem 'rails', '<version>'
    • Ensure version of JSON (or json_pure) that does not have the vulnerability (1.7.7, 1.6.8 or 1.5.5, or greater). Example:
      gem 'json', '~>1.7.7'
  3. Bundle install and commit the updated Gemfile and Gemfile.lock to repo.
  4. Deploy your app (test on staging first).

Note: We understand that you may not be able to upgrade your cookbooks (or choose not to do so) at this time. Or, you may not be using Bundler. In these cases, implement one of the workarounds described in the next section.

Workaround

Non-Bundler apps

1) Update your gem versions on the dashboard.

2a) If you are using Ruby 1.9.x:

  • The best solution is update cookbooks to get the new version of Ruby without vulnerable JSON in stdlib.
  • Alternatively, you need to use the gem command in your code to select it prior to requiring it.  Example:
    require 'rubygems'
    gem 'json', '~> 1.7.7'
    require 'json'
    

2b) If you’re using Ruby 1.8.x, no cookbook upgrade is necessary.

3) Deploy your app.

Rails 3.0 apps

Using Bundler but cannot upgrade cookbooks now

  • It is sufficient to explicitly state a fixed version of Rails and JSON (or json_pure) in your Gemfile and redeploy your app as per the recommended instructions; just be sure to run everything using Bundler to prevent the stdlib version of JSON that is shipped with Ruby 1.9.3 from accidently being used.

Important: Upgrading Rails is recommended because it also takes care of vulnerabilities covered in CVE-2012-5664 and CVE-2013-156, which were released in January, 2013.

Rails 2.3.x

Important: If you are still on Rails 2.3.x, even though there was a patch provided for this issue, it is officially End-of-Life. We highly recommend that you pursue activities to upgrade to Rails 3.2.

FAQs

How can I tell which versions I have now?

You can verify the versions you are using with:

machine user$ bundle list rails ; bundle list json ; bundle list json_pure 
/path/to/gems/rails-3.2.12
/path/to//gems/json-1.7.7
Could not find gem 'json_pure' in the current bundle.
machine user$ 

This will show you what versions of the gems are in your current bundle. Rails does not hardcode JSON versions so you should be able to move to 1.7.7 or stay on the current minor release.

If your are still not using Bundler you can check with:

machine user$ gem list rails ; gem list json ; gem list json_pure
*** LOCAL GEMS ***
rails (2.3.14)
*** LOCAL GEMS ***
json (1.7.6)
*** LOCAL GEMS ***
machine user$ 

Note: If you don’t specify gem 'json', it will use the stdlib version; you can check this via irb:

irb> require 'json'
irb> JSON::VERSION
1.5.4

More information

For more information about ...See ...

Denial of Service and Unsafe Object Creation Vulnerability in JSON

CVE-2013-0269

Circumvention of attr_protected

CVE-2013-0276

Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

CVE-2013-0277

Hotfix for Engine Yard cookbooks - for vulnerabilities above

February 2013 Release Notes


If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Keri Meredith

    Circumvention of attr_protected, Serialized Attributes YAML Vulnerability, Denial of Service and Unsafe Object Creation Vulnerability in JSON and Rails. This security update contains the following sections:

    • Issue - 3 security vulnerabilities summarized.
    • Solution - the recommended solution for most cases.
    • Workaround - alternatives in case you cannot upgrade now or have older versions.
    • FAQs - frequently asked questions.
    • More information - helpful links related to these security vulnerabilities.
  • Avatar
    Yves-Eric Martin

    Could you please clarify one point: how does "Upgrade to latest cookbook" relate to  CVE-2013-0269CVE-2013-0276 or  CVE-2013-0277 ?

    I have already updated the gems in all my apps (Rails 3.2.12, json 1.7.7). Do I still need to update my cookbooks? To what end?

     

    Thank you,

    Yves-Eric

  • Avatar
    PJ Hagerty

    Hi Yves-Eric,

     

    Upgrading the cookbooks version is part of our stack upgrade designed to ensure all vulnerabilities are handled.  It addresses certain issues with the Rails and JSON vulnerabilities as described here: http://ey.io/XzQHCb

     

    If you have further questions, feel free to drop us a support ticket.

     

    Thanks,

    PJ

Please sign in to leave a comment.

Powered by Zendesk