On July 12, a remote code execution vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. According to an advisory, the RCE flaw was discovered within Rails’ Active Record.
Active Record insulates you from the need to use SQL in most cases. Active Record will perform queries on the database for you and is compatible with most database systems, including MySQL, MariaDB, PostgreSQL, and SQLite. Regardless of which database system you’re using, the Active Record method format will always be the same.
“There is a possible escalation to RCE when using YAML serialized columns in Active Record. This vulnerability has been assigned the CVE identifier CVE-2022-32224. When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE,” the advisory explains.
Tracked as CVE-2022-32224, the security vulnerability was fixed by Rails in versions 7.0.3.1, 6.1.6.1, 6.0.5.1, and 5.2.8.1. Researcher @elebow has been credited with reporting the flaws.
Organizations working with Rails should upgrade to remain on the safe side. Upgraded versions of Rails are available here. To aid users who aren’t able to upgrade immediately Rails has provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 7-0-yaml_safe_load.patch – Patch for 7.0 series
- 6-1-yaml_safe_load.patch – Patch for 6.1 series
- 6-0-yaml_safe_load.patch – Patch for 6.0 series
- 5-2-yaml_safe_load.patch – Patch for 5.2 series