Tuesday, June 9, 2009

DoS Vulnerability in Ruby

Posted by michael

A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904.

For upgrade instructions and information on affected ruby versions please see the ruby security team’s announcement.

All users are advised to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a workaround available on github. You can either install it as a gem, or simply copy the file bigdecimal-segfault-fix.rb into config/initializers of your rails application.

NOTE: this workaround breaks valid formats supported by BigDecimal, users should not rely on this fix for an extended period of time but should instead immediately begin planning a migration to a supported ruby release.

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

Thanks to Jose Fernández for reporting the vulnerability to the rails security team, and to the ruby security team for confirming the nature of the bug and handling the release process.