The popular Ruby on Rails web application development framework that uses Ruby coding language received an â€œextremely critical security fixâ€ to be installed â€œimmediatelyâ€.
Described as a remote code execution vulnerability, the patch fixes a vulnerability in the Rails JSON code that might have enabled authentication bypass in the hands of skilled cyber-criminals. Also patching a vulnerability that could arbitrary injected SQL code to be into an applicationâ€™s database, the security patch only addressed the 2.3.x, 3.1.x and 3.2.x branches of the framework.
â€œThere is a vulnerability in the JSONÂ code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application,â€ according to the security advisory. â€œThis vulnerability has been assigned the CVE identifier CVE-2013-0333.â€
With three documented and patched Ruby on Rails vulnerabilities in less than a month, developers are warned to transition to later builds as Railsâ€™ designers cannot guarantee optimal security.
â€œThe JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends. One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser.Â Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML,â€ according to the security advisory. â€œAll users running an affected application should upgrade or use the workaround immediately.â€
With Ruby on Rails used to build websites, itâ€™s conceivable that most were susceptible to attacks.