A serious security vulnerability was found today in the Ruby on Rails framework. This exploit affected nearly all applications running Rails including Heroku’s.
Ruby on Rails issued prompt warning and announced that the releases 3.2.11, 3.1.10, 3.0.19, and 2.3.15 contained two extremely critical security fixes.
The aforementioned Rails versions were immediately patched and deemed safe from this exploit. The users were advised to upgrade their version promptly, failing which an attacker could potentially gain access to their application, its data, and run arbitrary code or commands. If you’re one of the concerned users, please check the patched versions below (deemed safe from exploit) and upgrade immediately.
Heroku was also prompt in taking action and asked its customers to get a full list of their affected Heroku applications by running this script. If the customer found any affected application, he was advised to upgrade immediately and install the patched versions. If you’re a Heroku customer, below are the steps to upgrade:
You can read more about the security fixes by following these links:
Heroku recently resolved a security vulnerability it was alerted to in December that would allow an attacker to change the password of a pre-existing user account and thus gain control of it. Web security has been a vital issue for the industry as recently EdgeWebHosting partnered with DuoSecutiry to secure remote access by enabling two-factor authentication and SingleHop launched an automated security service for dedicated cloud servers.
Rails was created in 2003 by David Heinemeier Hansson and has since been extended by the Rails core team, more than 2,100 contributors, and supported by a vibrant ecosystem. To know more, please visit, rubyonrails.org .