Highly Critical Security Flaws Patched in Ruby on Rails


The developers of Ruby on Rails recently announced the release of versions 3.2.11, 3.1.10, 3.0.19 and 2.3.15 of Ruby on Rails, which contain two "extremely critical security fixes."

"One of the vulnerabilities exists when Active Record is used in conjunction with JSON parameter parsing," writes Softpedia's Eduard Kovacs. "An attacker can leverage the flaw to issue unexpected database queries. ... The second issue is represented by multiple vulnerabilities in parameter parsing in Action Pack. The weaknesses can be exploited to bypass authentication systems, inject arbitrary code, and even performDOS attacks on Rails applications."

"Maintainers of the Rails framework are urging users to update their systems as soon as possible to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15," writes Ars Technica's Dan Goodin. "Updating is relatively painless for many sites, although temporary slow-downs are sometimes possible. Those who can't update should follow workarounds, including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. Rails maintainers have made code available that streamlines these measures."

"Vulnerability-wise, it hasn't been a good month for Ruby on Rails," notes InformationWeek's Mathew J. Schwartz. "Last week, the team behind the framework warned that all current versions of Rails were vulnerable to a SQL injection flaw. They simultaneously released updated versions of the framework that patched the flaw."