WebFaction
Community site: login faq

Ruby on Rails just released a batch of updates to address a critical vulnerability that allows arbitrary code execution, SQL injection, and bypassing of authentication mechanisms. Needless to say, security holes don't get much worse than this.

Since a lot of us are using Redmine and other RoR sites with WebFaction, I have two questions:

  1. What is WebFaction doing to ensure that our shared servers don't get compromised because of unpatched code related to this vulnerability?
  2. Could you provide some guidance on how to patch and/or mitigate our existing Ruby/RoR apps?

asked 09 Jan '13, 11:51

ehough
15124
accept rate: 0%


We've already added new installers for Rails 2.3.15, 3.0.19, 3.1.10, and 3.2.11.

To patch your own apps, you can either update your gems manually, or create a new app with the new installer and deploy your code to that.

permanent link

answered 09 Jan '13, 14:01

seanf
12.2k41836
accept rate: 37%

edited 10 Jan '13, 02:47

klynton
1.6k1210

I'll update my gems now. Thanks!

(09 Jan '13, 21:35) ehough

Sean, I'd like to press the point on ehough's first question above. Can a vulnerable Rails app belonging to another user on my server compromise my own (Rails-free) account? or are your filesystem ACLs robust enough that even arbitrary code-execution would be contained within the vulnerable account?

(11 Jan '13, 11:08) cfm

When we create your account on our servers, the permissions on your home directory are sufficiently secure to prevent other customers from accessing files in your home directory, so unless you've changed that, you don't need to worry about a compromised Rails app getting into your account.

The only thing that might affect you would be that if a compromised app was used to run some resource-intensive process. In that case, the performance of your server might be affected, or worst case, it would become completely non-responsive and would need to be rebooted. We have monitors in place for this sort of thing, and our CentOS6 servers have cgroups to prevent a single user from clobbering the CPU and IO, so its unlikely that you'd see much of a problem if it did happen.

(11 Jan '13, 11:26) seanf

That's all the reassurance I was looking for. Thanks, Sean.

(11 Jan '13, 16:07) cfm
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×108
×81
×69
×19

question asked: 09 Jan '13, 11:51

question was seen: 2,718 times

last updated: 11 Jan '13, 16:07

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM