Over the holiday period, multiple serious vulnerabilities have been found within the Ruby on Rails framework. These security flaws are significant, with exploit code available in the wild, and affect nearly all applications running Rails. Patches and workarounds are available. At ThoughtWorks, we’ve been contacting our Rails clients (current and previous) in order to let them know about the problems. I think it’s worth getting this info out as widely as possible, so I’m posting here too.
If your Rails application is available outside your corporate firewall, or to the public, I strongly recommend you patch or upgrade your application immediately. If your Rails application is protected by a corporate firewall the risk is somewhat reduced, but I still recommend you patch or upgrade as soon as possible.
The following links have more detail on the Rails vulnerabilities and remediation:
- Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
- Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)
In addition, similar critical vulnerabilities have been found within core Ruby libraries which may be used (directly or indirectly) by non-Rails applications.
You should ensure your maintenance and support teams are aware of the recent vulnerabilities and are responding to them.
ThoughtWorks is a proponent of using Ruby on Rails for fast, efficient development of web applications. As part of being a good citizen in the Ruby world we felt it appropriate to reach out to our customers who have used Rails, to make sure they are aware of the recent vulnerabilities. If you require further assistance in evaluating your situation and how you should patch your applications, please reach out to us and we will help.