InfoQ

News

Security Vulnerabilities in Safe Level, WEBrick, Dl, DNS lookup

Posted by Werner Schuster on Aug 10, 2008 03:59 AM

Community
Ruby
Topics
Ruby on Rails ,
Runtimes ,
Security
Tags
Vulnerabilities ,
Rails ,
Ruby on Rails
A list of new security vulnerabilities in Ruby libraries and systems is available.

One issue is a problem with the safe levels. By setting a safe level, it's possible disallow certain operations and define what data is defined as tainted. Tainted data in Ruby must be explicitly untainted before use. The discovered vulnerabilities are:
  • untrace_var is permitted at safe level 4
  • $PROGRAM_NAME may be modified at safe level 4
  • Insecure methods may be called at safe level 1-3
  • Syslog operations are permitted at safe level 4
See the list of vulnerabilities for code samples. A related issue in dl is related to tainted data. The dl library allows to load dynamic libraries and invoke their functions. The dl library doesn't check the taintedness of arguments passed to the calls, which could be used in exploits.

Another vulnerability discovered is in WEBrick, which is susceptible to Denial of Service (DoS) attacks. The problem was caused by the code responsible for splitting HTTP headers - for certain data the regex engine would fail to terminate.

The recently discovered DNS security problem also affected Ruby and was solved by randomizing DNS transaction IDs and source ports.

The solution to these issues is an upgrade to 1.8.6-p286, or 1.8.7-p71 for 1.8.x. For users of Ruby 1.9.x, apparently the currently advised solution is to get the current version in the SVN repository - all revisions after r18423 should be safe.

Finally, a word of caution: the recently discovered problems in the Ruby interpreter were resolved - but the first versions that contained the fixes caused compatibility problems. It pays to properly testdrive the upgrades before putting them into production.

Upgrading to 1.8.7 is also a solution that might cause problems. Using Rails 2.0 with Ruby 1.8.7 can cause problems due to a method ActiveSupport added to String. Ruby 1.8.7 added this method to String by default - yet with slightly different semantics (see InfoQ's article on Ruby's Open Classes for other similar issues). Rails 2.1 works with Ruby 1.8.7.

RelatedVendorContent

Server Gated Cryptography

Give-away eBook – Confessions of an IT Manager

The Role of Open Source in Data Integration

Effective Management of Static Analysis Vulnerabilities and Defects

The Agile Business Analyst: Skills and Techniques needed for Agile

No comments

Watch Thread Reply

Educational Content

Bindings, Platforms, and Innovation

This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.

  •  Jul 02, 2009,
  •  

Orchestrating Long Running Activities with JBoss / JBPM

This article explores the use of JBoss and jBPM to implement design solutions that effectively address the issue of orchestrating long running activities.

  •  Jul 01, 2009,
  •  

Neo4j - The Benefits of Graph Databases

This presentation covers the use of graph databases as an optimal solution for data that is difficult to fit in static tables, rapidly evolving data or data that has a lot of optional attributes.

Realistic about Risk: Software development with Real Options

This session introduces Real Options and shows how it can help in running your project. Real Options is a decision-making process that can be used to manage risk.

  •  Jun 30, 2009,
  •  

Communication Flexibility Using Bindings

This article discusses the use of bindings on services and references (including the instance of non-configured bindings) as the means to implement SCA communications in a Web and SOA environment.

  •  Jun 30, 2009,
  •  

Writing DSLs in Groovy

After a short introduction to DSLs, Scott Davis plays with the keyboard showing how to approach the creation of a DSL by typing working snippets of Groovy code that get executed.

Scaling Agile with C/ALM (Collaborative Application Lifecycle Management)

IBM Rational and InfoQ present, Scaling Agile with C/ALM, an eBook showing organizations how to become “finely tuned software delivery machines” by enabling team integration and scaling.

Concurrent Programming with Microsoft F#

Amanda Laucher presents a real life enterprise application written in F#. She shows actual code snippets, explaining design decisions and suggesting how to use some of the F# constructs.