Date: Mon, 11 Feb 2013 10:25:23 -0800 From: Aaron Patterson <tenderlove@...y-lang.org> To: rubyonrails-security@...glegroups.com, oss-security@...ts.openwall.com Subject: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277] Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 There is a vulnerability in the serialized attribute handling code in Ruby on Rails 2.3 and 3.0, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. This vulnerability has been assigned the CVE identifier CVE-2013-0277. Versions Affected: 2.3.x, 3.0.x and all earlier versions Not affected: 3.1.0 and Above Fixed Versions: 2.3.17 Impact ------ The +serialize+ helper in Active Record allows developers to store various objects serialized to a BLOB column in the database. The objects are serialized and deserialized using YAML. If developers allow their users to directly provide values for this attribute, an attacker could use a specially crafted request to cause the application to deserialize arbitrary YAML. Vulnerable applications will have models similar to this: class Post < ActiveRecord::Base serialize :tags end and will allow foreign input to be directly assigned to the serialized column like this: post = Post.new post.tags = params[:tags] All users running an affected release should either apply one of the patches or use one of the work arounds immediately. Releases -------- The 2.3.17 release is available in the normal locations. In accordance with our maintenance policy, there will be no new release of Ruby on Rails 3.0 to address this vulnerability. The patches included below have been pushed to the relevant branches in git. Workarounds ----------- To work around this issue, you must ensure that users cannot assign directly to the serialized column. For example if you have a model Post which serializes an array of tags you should use attr_accessible to prevent attackers from changing these values directly: class Post < ActiveRecord::Base serialize :tags # because :tags isn't included in the accessible list, it will be protected from assignment by attackers. attr_accessible :title, :content end Note: There are additional security concerns caused by allowing your users to directly provide values for a serialized attribute like this. You should consider making this change even if you apply the patches. Patches ------- To aid users who are still running 2.3 or 3.0, we have included patches against this vulnerability. They are in git-am format and consist of a single changeset. * 2-3-serialize.patch - Patch for 2.3 series * 3-0-serialize.patch - Patch for 3.0 series Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Tobias Kraze for reporting this issue to us and working with us on the fix. -- Aaron Patterson http://tenderlovemaking.com/ View attachment "2-3-serialize.patch" of type "text/plain" (3086 bytes) View attachment "3-0-serialize.patch" of type "text/plain" (2433 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.