InfoQ

InfoQ

InfoQ

En | 中文 | 日本語 | Br

562,907 Jan unique visitors

News

My Bookmarks

Login or Register to enable bookmarks for unlimited time.

The content has been bookmarked!

There was an error bookmarking this content! Please retry.

Security Vulnerabilities in Safe Level, WEBrick, Dl, DNS lookup

Posted by Werner Schuster on Aug 10, 2008

Sections
Development,
Architecture & Design
Topics
Ruby on Rails ,
Ruby ,
Security ,
Runtimes
Tags
Ruby on Rails ,
Rails ,
Vulnerabilities
A list of new security vulnerabilities in Ruby libraries and systems is available.

One issue is a problem with the safe levels. By setting a safe level, it's possible disallow certain operations and define what data is defined as tainted. Tainted data in Ruby must be explicitly untainted before use. The discovered vulnerabilities are:
  • untrace_var is permitted at safe level 4
  • $PROGRAM_NAME may be modified at safe level 4
  • Insecure methods may be called at safe level 1-3
  • Syslog operations are permitted at safe level 4
See the list of vulnerabilities for code samples. A related issue in dl is related to tainted data. The dl library allows to load dynamic libraries and invoke their functions. The dl library doesn't check the taintedness of arguments passed to the calls, which could be used in exploits.

Another vulnerability discovered is in WEBrick, which is susceptible to Denial of Service (DoS) attacks. The problem was caused by the code responsible for splitting HTTP headers - for certain data the regex engine would fail to terminate.

The recently discovered DNS security problem also affected Ruby and was solved by randomizing DNS transaction IDs and source ports.

The solution to these issues is an upgrade to 1.8.6-p286, or 1.8.7-p71 for 1.8.x. For users of Ruby 1.9.x, apparently the currently advised solution is to get the current version in the SVN repository - all revisions after r18423 should be safe.

Finally, a word of caution: the recently discovered problems in the Ruby interpreter were resolved - but the first versions that contained the fixes caused compatibility problems. It pays to properly testdrive the upgrades before putting them into production.

Upgrading to 1.8.7 is also a solution that might cause problems. Using Rails 2.0 with Ruby 1.8.7 can cause problems due to a method ActiveSupport added to String. Ruby 1.8.7 added this method to String by default - yet with slightly different semantics (see InfoQ's article on Ruby's Open Classes for other similar issues). Rails 2.1 works with Ruby 1.8.7.

RelatedVendorContent

Cloud Access 360 Overview

Complimentary Gartner (Hype Cycle for Cloud Security Report)

Improve Java Garbage Collection, Runtime Execution, and JVM visibility with Zing

Federated Identity Management and Single Sign On

Kanban for Agile Teams

No comments

Watch Thread Reply

Educational Content

Attila Szegedi on JVM and GC Performance Tuning at Twitter

Attila Szegedi talks about performance tuning Java and Scala programs at Twitter: how to approach GC problems, the importance of asynchronous I/O, when to use MySQL/Cassandra/Redis, and much more.

10 tips on how to prevent business value risk

One category of risk that project teams need to ensure they address is business value failure – delivering a product that fails to provide value for the business investor.

Interview: Software Systems Architecture: Working With Stakeholders Using Viewpoints and Perspectives

InfoQ spoke to the authors of Software Systems Architecture on a couple of new topics, the System Context viewpoint and Agile, which have been added to the second edition.

Beauty Is in the Eye of the Beholder

Alex Papadimoulis discusses ugly code, where it comes from, how to avoid it, and how to get rid of it.

Architecting Visa for Massive Scale and Continuous Innovation

John Davies examines Visa’s architecture and shows how enterprises have architected complex integrations incorporating Hadoop, memcached, Ruby on Rails, and others to deliver innovative solutions.

Max Protect: Scalability and Caching at ESPN.com

Sean Comerford unveils ESPN.com’s architecture, what components are used and why, and the current changes the website goes through.

The Seven Deadly Sins of Enterprise Agile Adoption

Are there repeated patterns of failure on Enterprise Agile Enablement efforts? Sanjiv and Arlen discuss Seven Deadly Sins to avoid when adopting Agile in an enterprise.

Questions for an Enterprise Architect

Erik Dörnenburg answers: What is Enterprise and Evolutionary Architecture?, discussing 4 issues: Turning strategy into execution, Ensuring conformance, Where do the architects sit? Buying or building?