Ruby-on-Rails—it’s modular, expressive, and broadly supported by legions of loyal developers. From Twitter to GroupOn, many of the world’s most trafficked websites have relied on Rails to deliver scalable and highly available web services. But as GitHub discovered a few years back, the language/framework is not without its security flaws—65 to date, per the CVE database. Here are the top 15 and how to remediate and/or prevent them from being exploited.
Table of contents
- Arbitrary file existence disclosure in Sprockets
- Possible Denial of Service attack in Active Support
- IP whitelist bypass in Web Console
- CSRF Vulnerability in jquery-ujs and jquery-rails
- XSS Vulnerability in ActiveSupport::JSON.encode
- Potential Denial of Service Vulnerability in Rack
- Arbitrary file existence disclosure in Action Pack
1. Arbitrary file existence disclosure in Sprockets
To address this vulnerability, you must set config.serve_static_assets = false in an initializer or apply the patch provided by Rails.
2. Possible Denial of Service attack in Active Support
Active Support provides language extensions and utilities to the framework. Two components—jdom.rb and rexml.rb—are vulnerable when JDOM or REXML are enabled, allowing remote attackers to cause a denial of service (DoS) attack with a specially crafted XML file. This affects versions of Rails before 4.1.11 and 4.2.x before 4.2.2.
Remediation involves updating or patching Rails to fix the two vulnerable components.
3. IP whitelist bypass in Web Console
Rails environments with Web Console enabled are susceptible to spoofing via specially-crafted remote requests. This vulnerability impacts version 2.1.3, as used with Rails 3.x and 4.x.
To address this vulnerability, you must upgrade or patch Rails to fix the Web Console's whitelisted_ips protection mechanism.
4. CSRF Vulnerability in jquery-ujs and jquery-rails
jquery-ujs and jquery-rails enables the use jQuery in Rails web applications. Vulnerable versions allow attackers to bypass CSP protections CSRF tokens to attacker domains. All versions of Rails that use jquery-ujs or jquery-rails are affected.
Applying the appropriate patches for jquery-ujs and jquery-rails will effectively remediate this vulnerability.
5. XSS Vulnerability in ActiveSupport::JSON.encode
This flaw is another Rails ActiveSupport vulnerability, allowing for XSS attacks to be carried out by json/encoding.rb. Impacted versions include Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2.
Applying the appropriate patches will effectively remediate this vulnerability.
6. Potential Denial of Service Vulnerability in Rack
Rack is a Ruby web server interface that enables the filtering of requests and responses to a Rails application. Specially crafted requests can trigger a SystemStackError and a subsequent DoS. This vulnerability impacts all versions.
To fix this vulnerability, you must either upgrade or apply the appropriate patches.
7. Arbitrary file existence disclosure in Action Pack
Action Pack consists of two major components: Action View and Action Controller. In this case, a directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb allows remote attackers to determine the existence of files outside the application root. Impacted versions include versions 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3.
To prevent this vulnerability from being exploited, you must apply the appropriate security patches or update your version of Rails.
Fixing the above vulnerabilities is crucial to bolstering your Rails web application's security posture. UpGuard provides a way for you to do this easily and automatically with a few mouse clicks. Our powerful policy engine can validate secure configurations for all environments, infrastructures, and application stacks. In this case, a simple security policy can be run to check for any of the above vulnerabilities—as well as new vulnerabilities not yet added to policy. Our OVAL-backed vulnerability detection and monitoring suite ensures that all the applications in your environment are free for vulnerabilities and security gaps.