[ACTION REQUIRED] Ruby Security Vulnerability; CVE-2013-4164
You are receiving this email because you run at least one Ruby (MRI) application on Heroku.
Early this morning, the Ruby project announced a security vulnerability in MRI 1.8.7, 1.9.2, 1.9.3, 2.0.0. The CVE identifier is CVE-2013-4164. Rubinius and JRuby are unaffected.
We believe this is limited to a denial of service vulnerability. Any Ruby application that parses JSON from an untrusted source can potentially be made to crash with little difficulty. There is also a slim theoretical possibility of a much more serious vulnerability, an Arbitrary Code Execution. We would like to stress that there are no known Proofs of Concept and this is purely theoretical, but can not be ruled out.
In response, we have released Ruby 1.8.7p375, 1.9.2p321, 1.9.3p484 and 2.0.0p353 which closes this attack vulnerability. Please upgrade as soon as possible. These releases are only available on our Cedar stack. If your application is on our Bamboo stack, please see the note below.
Additionally, the Ruby project has previously announced support for the 1.8.7 branch has been discontinued, and has de-facto discontinued support for 1.9.2. As such, 1.8.7p375 and 1.9.2p321 are not official release numbers from them, but what we’re using to indicate the presence of the patch. We strongly urge all pre-1.9.3 users to begin migration plans to 1.9.3 or 2.0.0 at their earliest convenience, as we can not guarantee our ability to backport security patches indefinitely.
Detecting if you’re vulnerable
$ heroku run "ruby -v" -a APPNAME
If your patch version is less than what’s listed above (e.g., 1.9.2p320), you’re vulnerable.
To upgrade, you’ll need to push a new commit to your app, which will cause a deploy. If you don’t want to push any actual changes, this commit can be empty:
$ git commit --allow-empty -m "upgrade ruby version"
$ git push heroku master
In the push output you should see the new version being picked up. You should see something like one of the following, depending on the version of Ruby:
New: ruby 1.8.7p375 (2013-11-22 revision 375) [x86_64-linux]
New: ruby 1.9.2p321 (2013-11-22 revision 321) [x86_64-linux]
New: ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
New: ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-linux]
Users of forked versions of the Ruby buildpack should be sure to pull in the most recent changes.
Verifying that you are running a fixed version of Ruby
You can also verify that the runtime is installed by running:
$ heroku run "ruby -v" -a MYAPPNAME
This will show one of the version strings above (e.g.
ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux], or
2.0.0p353 (2013-11-22 revision 43784) [x86_64-linux], etc.)
Note for Bamboo users
For Bamboo applications, all operating system libraries are based on Debian 5.0. Support for this version, including security updates, was discontinued by the Debian project in February 2011. Given the obsolescence of the underlying libraries, we have made the difficult decision to NOT release a patch for today’s vulnerability for Bamboo. All Bamboo users are strongly urged to begin migrating your application to Cedar as soon as possible.
If you have any questions, please contact us.
Terence Lee, Heroku Ruby Team
Tom Maher, Heroku Security Team