Ruby Security Vulnerabilities

Written By : Bradley Taylor

On June 21, 2008, the Ruby on Rails Weblog announced that multiple Ruby security vulnerabilities had been found. The official Ruby security advisory tells us that the following versions of Ruby have exploitable security vulnerabilities:

  • 1.8.4 and earlier
  • 1.8.5-p230 and earlier
  • 1.8.6-p229 and earlier
  • 1.8.7-p21 and earlier

The actual details of the vulnerabilities have yet to be revealed, but it appears that DoS attacks and arbitrary code execution are both potential possibilities.

Unfortunately, upgrading or patching your Ruby install is fraught with problems, as detailed by many Rails developers in the comments section. Users are experiencing segmentation faults and multiple Rails errors, resulting in immobilized Rails applications, and worse. We have been able to reproduce these errors in our own testing.

It looks like Ruby 1.8.6-p230, the only version of ruby that both preserves backward compatibility and has fixes for these security vulnerabilities, is incompatible with a very large number of Rails applications.

It seems that the fix is potentially worse than the problem.

What We’re Doing

When the security vulnerability announcement was made, we started working on evaluating possible upgrade, update, and patching solutions in an attempt to help our customers mitigate the problem until a working fix is released by the Ruby team.

We will provide an update here on the Rails Machine Blog as soon as a suitable fix is announced, tested, and made available.

What Should You Do Until Then?

We recommend waiting for the Ruby team to release a more tested, Rails friendly update, especially if you’re application is pre Rails 2.1.

I Can’t Wait. How Do I Upgrade?

Although we don’t recommend it, if you’re more concerned with the potential security issues than with possibly nuking your application, you can install a patched version of Ruby 1.8.6. We have created a special set of instructions you can use to do this.

Keep in mind that you’re doing this at your own risk.

Conclusion

It’s a bit of a quagmire. Not updating Ruby might leave your application open to potential security vulnerabilities, although nobody knows with 100% clarity just how much of a risk exists. Updating Ruby is either potentially problematic or impossible due to issues with the patches and updates.

We’ll update the blog as soon as we have any additional information.