Ruby on Rails Steams Critical Security Patch
The popular Ruby on Rails web application development framework that uses Ruby coding language received an “extremely critical security fix” to be installed “immediately”.
Described as a remote code execution vulnerability, the patch fixes a vulnerability in the Rails JSON code that might have enabled authentication bypass in the hands of skilled cyber-criminals. Also patching a vulnerability that could arbitrary injected SQL code to be into an application’s database, the security patch only addressed the 2.3.x, 3.1.x and 3.2.x branches of the framework.
“There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application,” according to the security advisory. “This vulnerability has been assigned the CVE identifier CVE-2013-0333.”
With three documented and patched Ruby on Rails vulnerabilities in less than a month, developers are warned to transition to later builds as Rails’ designers cannot guarantee optimal security.
“The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML,” according to the security advisory. “All users running an affected application should upgrade or use the workaround immediately.”
With Ruby on Rails used to build websites, it’s conceivable that most were susceptible to attacks.