Possible Denial of Service attack in Active Support

Metadata

medium
5.0
activesupport
CVE-2015-3227
groups.google.com
2015-06-16
2017-06-16 19:14
CVE-2015-3227 rails
CVE-2015-3227 ruby-activesupport-2.3
CVE-2015-3227 ruby-activesupport-3.2
CVE-2015-3227
2017-04-01 19:10
2017-01-05 20:15

Description

Specially crafted XML documents can cause applications to raise a
`SystemStackError` and potentially cause a denial of service attack. This
only impacts applications using REXML or JDOM as their XML processor. Other
XML processors that Rails supports are not impacted.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workarounds
-----------
Use an XML parser that is not impacted by this problem, such as Nokogiri or
LibXML. You can change the processor like this:

ActiveSupport::XmlMini.backend = 'Nokogiri'

If you cannot change XML parsers, then adjust
`RUBY_THREAD_MACHINE_STACK_SIZE`.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
activesupport >= 4.2.2,~> 4.1.11,~> 3.2.22 None