October 29, 2013 - RubyGems security vulnerability

Updated: October 30th, 2013

RubyGems validate versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

This security update contains the following sections:

  • Issue - security vulnerability summarized.
  • Solution - the recommended solution for most cases.
  • More information - helpful links related to this security vulnerability.

Issue

A security vulnerability was released October 17th, 2013:

CVE-2013-4287

Denial of service through CPU consumption. This vulnerability has been assigned the CVE identifier CVE-2013-4287.

Versions Affected: ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247 2.0.7 and older, 2.1.0.rc.1 and 2.1.0.rc.2

Not Affected: Users of Ruby 1.8.6 and 1.8.7, which use RubyGems 1.4.2 and 1.5.2/3

Fixed Versions: RubyGems 2.1.0, 2.0.8, 1.8.26 and 1.8.23.1

CVE-2013-4363

Denial of service through CPU consumption. This vulnerability has been assigned the CVE identifier CVE-2013-4363.

Versions Affected: ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247

Not Affected: Users of Ruby 1.8.6 and 1.8.7, which use RubyGems 1.4.2 and 1.5.2/3

Fixed Versions: RubyGems 2.1.0, 2.0.8, 1.8.26 and 1.8.23.2

Solution

Solutions are based on your Engine Yard stack.

Engine Yard Gentoo (stable-v2) users

To address issues raised by CVE-2013-4287 and CVE-2013-4363, we have provided upgraded RubyGems versions that do not contain those vulnerabilities. While the opportunities to exploit these vulnerabilities are severely limited for this stack, the following actions are needed to remove current known vulnerabilities:

  1. Upgrade your environments to the following RubyGems versions:
    • Ruby 1.9.2 users -- Edit environment using the Engine Yard UI and select RubyGems version 1.8.23.2 or 1.8.28. Version 1.8.28 is the recommended version. For detailed instructions on changing your Ruby and RubyGems version selections, see see Changing Ruby and RubyGems Versions.
    • Ruby 2.0.0 users -- Edit your environment using the Engine Yard UI and select RubyGems version 2.0.12.
    • Ruby 1.8.6 or 1.8.7 users -- Not impacted by this security vulnerability so no action required.

Important: Other versions of RubyGems on the UI are listed for legacy reasons, but should not be used. Those versions will be deprecated.

Engine Yard Gentoo 12.11 (stable-v4) and Limited Availability Engine Yard Gentoo (stable-v3) users

To address issues raised by CVE-2013-4287 and CVE-2013-4363, we have provided upgraded RubyGems versions that do not contain those vulnerabilities. While the opportunities to exploit these vulnerabilities are severely limited for this stack, the following actions are needed to remove current known vulnerabilities:

  1. Upgrade your environments to the following RubyGems versions:
  • Ruby 1.9.2 users -- Edit environment using the Engine Yard UI and select RubyGems version 1.8.23.2 or 1.8.28. Version 1.8.28 is the recommended version. For detailed instructions on changing your Ruby and RubyGems version selections, see Changing Ruby and RubyGems Versions.
  • Ruby 2.0.0 users -- Edit your environment using the Engine Yard UI and select RubyGems version 2.0.12.
  • Ruby 1.8.6 or 1.8.7 users -- Not impacted by this security vulnerability so no action required.
  • Upgrade to the October 30th, 2013 or later cookbook.
  • Important: Other versions of RubyGems on the UI are listed for legacy reasons, but should not be used. Those versions will be deprecated.

    Changing Ruby and RubyGems Versions

    To change your Ruby and RubyGems versions using the Engine Yard UI:

    1. Log into your Engine Yard account.
    2. Navigate to the Environments page on the Engine Yard dashboard.
    3. Click Edit Environment.
    4. Select a Ruby and RubyGems version from the drop-down.
    5. Click the Update Environment button.

    More information

    For more information about ... See ...

    CVE-2013-4287

    CVE-2013-4287

    CVE-2013-4363

    CVE-2013-4363

    Engine Yard hotfix for the vulnerabilities above

    October 2013 Release Notes

    If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

    Comments

    Please sign in to leave a comment.

    Powered by Zendesk