Ruby on Rails receives its third security patch in less than a month

Developers of the Ruby on Rails Web development framework released versions 3.0.20 and 2.3.16 of the software on Monday in order to address a critical remote code execution vulnerability.

This is the third security update released in January for Ruby on Rails, an increasingly popular framework for developing Web applications using the Ruby programming language that was used to build websites like Hulu, GroupOn, GitHub, Scribd, and others.

The Rails developers described the updates released Monday as “extremely critical” in a blog post and advised all users of the 3.0.x and 2.3.x Rails software branches to update immediately.

According to a corresponding security advisory, the newly released Rails versions address a vulnerability in the Rails JSON (JavaScript Object Notation) code that allows attackers to bypass authentication systems, inject arbitrary SQL (Structured Query Language) into an application’s database, inject and execute arbitrary code or perform a denial-of-service attack against an application.

The Rails developers pointed out that despite receiving this update, the Rails 3.0.x branch is no longer officially supported. “Please note that only the 2.3.x, 3.1.x and 3.2.x series are supported at present,” they said in the advisory.

Users of Rails versions that are no longer supported were advised to upgrade as soon as possible to a newer, supported version, because the continued availability of security fixes for unsupported versions cannot be guaranteed. The newer 3.1.x and 3.2.x Rails branches are not affected by this vulnerability.

This latest Rails vulnerability is identified as CVE-2013-0333 and is different from CVE-2013-0156, a critical SQL injection vulnerability patched in the framework on Jan. 8. The Rails developers stressed that users of Rails 2.3 or 3.0 who previously installed the fix for CVE-2013-0156 are still required to install the new fix released this week.