Ruby on Rails – Vulnerability and scheduled Network Vulnerability Scan Notice

Last Updated: 01/14/2013

Security Notice Level

SEVERE

 

Ruby on Rails is reporting vulnerabilities in the Ruby on Rails Action Pack framework that if exploited can allow authentication bypass, SQL injection, arbitrary code execution, or denial of service.

**The IT Security Office will be performing non-invasive network based security scans of internet facing systems to identify systems at risk of compromise.**

The IT Security Office strongly advises updating or applying workarounds.

Affected Software:

All versions
Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15

Security bulletin names:

Vulnerability Note VU#380039
Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters
Released: January 8, 2013

Additional Information

 

Additional information about this vulnerability can be viewed at:

http://www.kb.cert.org/vuls/id/380039
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
http://api.rubyonrails.org/files/actionpack/README_rdoc.html

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu. Email and phone help is available Mondays through Thursdays, 7:00 a.m. to 10:00 p.m.; Fridays 7:00 a.m. to 7:00 p.m.; and Saturdays and Sundays, noon to 6:00 p.m.