Use of software with known vulnerabilities in development
Need
Mitigation of known vulnerabilities in software and dependencies used in development
Context
- Usage of Ruby 2.2.2 as the programming language for development
- Usage of Rails framework for building web applications
- Usage of Rack for building web applications in Ruby
- Usage of nokogiri for parsing and manipulating XML and HTML documents
Description
Non compliant code
# Gemfile
source 'https://rubygems.org'
gem 'rails', '4.2.5.1'
gem 'rack', '1.6.4'
gem 'nokogiri', '1.6.8'
In the above code snippet, the application is using the Ruby on Rails framework version 4.2.5.1, Rack middleware version 1.6.4, and Nokogiri gem version 1.6.8. These are specified in the application's Gemfile, which is used by Bundler to manage the application's dependencies.
The problem with this code is that these specific versions of the Rails, Rack, and Nokogiri gems have known vulnerabilities:
- Rails 4.2.5.1 has several known vulnerabilities including potential denial of service, unsafe query generation, and possible information leak.
- Rack 1.6.4 has a known vulnerability that could allow an attacker to perform a timing attack.
- Nokogiri 1.6.8 has a known vulnerability that could allow an attacker to cause a denial of service through a crafted XML document.
Using these versions of the gems in a pre-productive environment could expose the application to these vulnerabilities, potentially leading to unauthorized access, data loss, or service disruption.
Steps
- Identify the specific vulnerabilities associated with the software or dependencies used in the application.
- Update the software or dependencies to the latest version that does not have the known vulnerabilities.
- Review the release notes and changelogs of the updated software or dependencies to ensure compatibility with the application.
- Test the application thoroughly after updating to ensure that it functions correctly and does not introduce any new issues.
- Regularly monitor for new vulnerabilities and update the software or dependencies as needed.
Compliant code
# Gemfile
source 'https://rubygems.org'
gem 'rails', '5.2.4.5'
gem 'rack', '2.2.3'
gem 'nokogiri', '1.11.1'
The previous version of the software and dependencies used in the application had known vulnerabilities. The versions of 'rails', 'rack', and 'nokogiri' gems were outdated and had known security issues.
The updated code includes the latest versions of these gems that do not have the known vulnerabilities. Specifically, the 'rails' gem has been updated from version '4.2.5.1' to '5.2.4.5', the 'rack' gem from '1.6.4' to '2.2.3', and the 'nokogiri' gem from '1.6.8' to '1.11.1'.
Before updating these gems, it's important to review the release notes and changelogs of the updated software or dependencies to ensure compatibility with the application. After updating, the application should be thoroughly tested to ensure that it functions correctly and does not introduce any new issues.
Regular monitoring for new vulnerabilities and updating the software or dependencies as needed is a good practice to maintain the security of the application.