Rails Vulnerability in JSON Parser

I got an email today from Heroku telling me to update an old trial Rails app on 3.0.x because of a security update. My understanding of the vunerability is that due to the way the JSON parser converts to YAML then works through the YAML parser a malicious user can bypass authentication systems and perform SQL actions, bad for a variety of reasons. The Rails community got onto this quickly after it was reported and a patch has been released, if you’re running 3.0.x or anything below that you’ll want to update to 3.0.20 or 2.3.16, a simple `Gem Update Rails ‘3.0.20’` should suffice. There are certain gems that have protected users, if you’ve got an application with YAJL gem installed then you should be safe, however it is still best to update.

The Rails blog also reports that this will be the last update for 3.0 and they will no longer maintain further security problems so if possible I’d recommend updating your app as soon as you can. If you’re unable to update quickly you may be interested in patching your JSON Parser (instructions on the mailing list below).

You can read more about it on the Rails blog or the Google mailing list

1 comment
  1. Terrific work! This is the type of information that should be shared around the web.
    Shame on Google for not positioning this post higher!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Also Like