RubySec

Providing security resources for the Ruby community

CVE-2015-3227 (activesupport): Possible Denial of Service attack in Active Support

ADVISORIES

GEM

activesupport

FRAMEWORK

rails

PATCHED VERSIONS

  • >= 4.2.2
  • ~> 4.1.11
  • ~> 3.2.22

DESCRIPTION

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workarounds

Use an XML parser that is not impacted by this problem, such as Nokogiri or LibXML. You can change the processor like this:

ActiveSupport::XmlMini.backend = ‘Nokogiri’

If you cannot change XML parsers, then adjust RUBY_THREAD_MACHINE_STACK_SIZE.