Category Archives: Uncategorized

Regarding the Recent Ruby Vulnerability

Posted on by
Reply

We take security very seriously at OCS Solutions.  In fact, security issues trump all other issues, including application compatibility and performance when we make decisions about our network and servers.

On June 9th, 2009 a vulnerability was disclosed that causes Ruby to crash when an very large (we’re talking astronomical proportions) decimals are converted to strings.  This is a serious issue, but we feel that the exposure surface to most Rails sites may not be as large as initially thought.

Rails seems to convert decminals into big decimals when fetched from the database, and possibily a few other instances.  Since values in the database can very easily be user input, any Rails application that has decimals of any kind either stored in the database or at any time retrieved from the user is potentially at risk.  We can’t say for certain that if you don’t use decimals or big decimals you’re not at risk, but it does appear to be that way.

Our Recommendation

If your Rails app in any way uses decimals (either stored in the database or requested from the user), we recommend you update Ruby ASAP.  If you do not use this, we still recommend you upgrade, but its not as critical.

In either case, you can patch the issue by installing the gem by running:

gem sources -a http://gems.github.com
sudo gem install NZKoz-bigdecimal-segfault-fix

Then add the lines:

gem 'NZKoz-bigdecimal-segfault-fix'
require 'bigdecimal-segfault-fix'

to your application (for Rails, put this in config/environment.rb).  Once you install this, you’ll need to restart your Rails application.

The best long term solution though is to upgrade Ruby.  Here’s how to proceed:

  • If you’re on shared hosting we will be automatically updating Ruby over the next few days.  If you use Mongrel, your application will need to be restarted, so we recommend you do this within the next 72 hours.  If you’re using your own install of  Ruby in your account, in which case you’ll have to upgrade it yourself.  If you don’t know how, we can do this for you as part of managed shared hosting or on a one-time-fee basis.
  • If you have a managed server or VDS we’ll be glad to do that, just open a ticket and we’ll get that scheduled.
  • If you have an unmanaged server or VDS and would like us to perform this for you, we can do it on a one-time-fee basis.  Just open a ticket and we’ll start the process for you.

If you have any questions about this, please let us know and we’ll be glad to assist you.