For the second time in less than a week, the developers of the Ruby on Rails framework are urging users to update their installations as soon possible after the discovery of several critical vulnerabilities. Last week it was a SQL injection vulnerability in Ruby on Rails, and today comes the disclosure of a series of vulnerabilities that could enable an attacker to compromise vulnerable Rails applications.
On what has become one of the busiest patching days in recent memory, the maintainers of Ruby on Rails published advisories on a number of vulnerabilities, including a series of bugs in the way that Ruby on Rails parses some parameters. Those vulnerabilities could lead to a compromise of affected apps and all versions of Ruby on Rails are affected.
“There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application,” the advisory says. “The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application. Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*.”
There are some mitigations and workarounds for these vulnerabilities, including disabling XML entirely or disabling the YAML and Symbol type conversion from the Rails XML parser. The advisory has code snippets users can employ to use either of these workarounds.
Users should upgrade to versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15, which contain fixes for the vulnerabilities.
The other vulnerability in Ruby on Rails disclosed on Tuesday is a denial-of-service bug that arises when Active Record is used in conjunction with JSON parameter parsing.
“Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it,” the advisory says.
“An attacker can craft a request such that `params[:token]` will return `[nil]`. The `[nil]` value will bypass the test for nil, but will still add an “IN (‘xyz’, NULL)” clause to the SQL query. Similarly, an attacker can craft a request such that `params[:token]` will return an empty hash. An empty hash will eliminate the WHERE clause of the query, but can bypass the `nil?` check.”
This vulnerability affects versions n the 3.x series. Fixed versions are 3.2.11, 3.1.10, 3.0.19.