DoS Vulnerability in BigDecimal

Posted by Werner Schuster on Jun 10, 2009

Sections

Development,

Architecture & Design

Topics

JRuby ,

Ruby on Rails ,

Security ,

Ruby

Tags

Rails ,

Vulnerabilities ,

JRuby ,

Ruby on Rails ,

Ruby1.9

A Denial of Service (DoS) vulnerability has been found in all versions of Ruby 1.8.x:

Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

ActiveRecord relies on this method, so most Rails applications are affected by this. Though this is not a Rails-specific issue.

The Riding Rails blog also points out the vulnerability:

The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible.

The blog also points to NZKoz' bigdecimal-segfault-fix, a temporary fix for users who can't immediately upgrade their Ruby installation - although upgrading is the only proper solution since this fix can break applications.

All Ruby 1.8.x versions are affected - the first fixed versions of Ruby are Ruby 1.8.6-p369 (1.8.6 FTP Download Link) and Ruby 1.8.7-p173 (1.8.7 FTP Download Link).

JRuby also seems to be affected. Bug JRUBY-3744 tracks the issue and says:

JRuby seems to be affected as well. It doesn't crash, but appears to be stuck in an infinite loop.

The behavior is documented by this sample output.
A quick experiment showed that the solution used in the bigdecimal-segfault-fix works as a temporary fix in JRuby as well, since it just opens up the BigDecimal class and modifies it to throw an exception if too large numbers are used. Instead of keeping the JRuby thread busy, the code fails instantly; obviously this breaks behavior for code that needs numbers bigger than the default used in the fix.

Ruby 1.9.x users are not affected by the issue.

• Older >