A JSON parser vulnerability in the Ruby on Rails framework was published recently. The vulnerability affects Ruby on Rails versions 3.0.x and 2.3.x.
OnApp v2.3.3 runs on Rails v3.0.7, which contains the vulnerability. Previous versions of OnApp also run on Rails versions containing the vulnerability.
What it means for your cloud
We have conducted an extensive investigation into this issue.
While we are certain that no OnApp customers have been at risk, it makes sense to upgrade the Rails version we use in OnApp Cloud for peace of mind, and to remove any potential for future exploits.
As a result, we advise all OnApp customers to upgrade their control panel as soon as possible.
Please follow the instructions below to upgrade your version of OnApp Cloud.
OnApp Cloud v2.3.3
This upgrade will update the Rails version used by the OnApp control panel from Rails 3.0.7 to Rails 3.0.20, which fixes the following issues:
· SQL Injection Vulnerability
· Vulnerability in JSON Parser
· Multiple Vulnerabilities in Parameter Parsing in Action Pack
· Unsafe Query Generation Risk
To upgrade your control panel:
1. Get the OnApp Control Panel installer package:
# yum update onapp-cp-install
2. Set Control Panel custom values as required:
# vi /onapp/onapp-cp.conf
Edit this file to set Control Panel custom values, such as:
· OnApp to MySQL database connection data:
o connection timeout, pool, encoding, unix socket
· MySQL server configuration data (if MySQL is running on the same server as the CP):
o wait timeout, maximum number of connections
· The maximum number of requests queued to a listen socket
o (net.core.somaxconn value for sysctl.conf)
· The root of OnApp database backups directory
o (temporary directory on the CP box where MySQL backups are placed)
3. Run the Control Panel installer:
Note - After upgrading the API call /usage_statistics.json shows a 500 error.
This patch fixes this behaviour and returns the normal results for /usage_statistics.json
- unpack the archive into /onapp/interface on the CP server
- chown onapp:onapp app/controllers/usage_statistics_controller.rb
- service httpd restart
OnApp Cloud v2.3.2 and earlier
You must upgrade to OnApp Cloud v2.3.3 to address this vulnerability.
· For instructions on upgrading your own cloud, please contact OnApp Support.
· If you have a full version license you can also raise an upgrade ticket, and we'll take care of the upgrade for you. Please be aware that there may be a queue!
OnApp Cloud v3.0
The GA version of OnApp Cloud v3.0 (to be released in the near future) will not be affected by this vulnerability.