ITC Security Threat of the Week – Week 1: Ruby on Rails Vulnerability ReloadedUsers of Ruby on Rails received good news this week with the release of two updates to fix the security vulnerabilities found in some versions of the program.
What is Ruby on Rails?
Ruby on Rails (RoR / Rails) is an open-source web application framework and many applications rely on it, many companies are using it from small to large organizations. Web Application Framework is a software platform that provides support for dynamic web content and application development and hosting.
The Ruby on Rails 3.0 and 2.3 JSON parser contains a potential weakness that could lead to cyber-attacks.
28th of January 2013 – Ruby on Rails Patch (Software Update) for CVE-2013-0333 is announced
29th of January 2013 – Exploit Code (~ an attack against a computer/application to take advantage of a vulnerability) is released into the wild, the code is available here: https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
CVE-2013-0333 is the 3rd major Rails vulnerability found in 2013, the full list can be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333
What is affected?
Versions Affected: 2.3.x, 3.0.x
Not Affected: 3.1.x, 3.2.x, applications using the yajl gem.
Fixed Versions: 3.0.20, 2.3.16
What is the impact?
The vulnerability, which has been assigned the CVE identifier of CVE-2013-0333, could have allowed hackers to bypass authentication systems, inject and execute arbitrary code and could have even led to a DoS (Denial of Service) attack.
What is the solution?
For obvious reasons it has been recommended that users of affected programs should update them immediately. The updates, 3.0.20 and 2.3.16 can found at the Ruby on Rails website and to facilitate a swift upgrade the only new features are the security fixes. Those unable to update straight away can apply patches which have been provided for the two supported release series. If both the patches and updates are not an option than you can work around the issue by switching backends to the JSONGem backend, placing the following code in an application initialiser.
ActiveSupport::JSON.backend = “JSONGem”
ITC Secure Networking
With the threat of online attack becoming more and more prevalent, it is as important as ever before to stay on top of important updates and fixes. It is only with the combined efforts of program developers and users that the danger of hacking can be avoided.
Despite the fact that specific signatures for these exploits are still in development, implementation of the advanced correlation capabilities of the ITC Netsure360˚ SIEM platform will proactively identify attacks.
ITC also offer a selection of vulnerability management solutions, one solution is Qualys which can help you find critical systems vulnerabilities faster allowing you to effectively protect your environment against malicious attempts.
To learn more about ITC Secure Networking and the services we offer, please visit our website: www.itcsecurity.com.
