2013-01-08 Instructure Advisory IAC94807 - Rails XML Parsing Vulnerability

504

SECURITY UPDATE

Release Date:	2013-01-08 (Last update can be found below the document title)
Description:	Code Injection Attack in Rails Library
Criticality Level:	Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
Impact:	Manipulation of data Exposure of sensitive information Privilege escalation Arbitrary code execution Denial of Service
Systems Affected:	Canvas LMS
Solution Status:	Patch
Relevant Changesets:	disable XML params parser · instructure/canvas-lms@0e0190f · GitHub

Summary:

An XML parameter parsing vulnerability was discovered in the Ruby on Rails 2.3.x library that Canvas uses. Canvas does not use XML parameter parsing, but is still vulnerable without the fix applied. Further information is available at https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/...

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.

About

Bio

Jordan has had various roles in the ed tech software (SAAS) industry for the past 9 years. (almost 5 years with Instructure). In his previous company he was a Client Services Manager for two years (responsible for account management, implementation, project management, and training, for each of his customers). After a year and a half he was commissioned to build a training department, all policies and procedures, and deliver training for all customers. Over the past eight years he has been in charge of conceiving, producing and deploying eLearning initiatives and strategies. He has trained over 3,000 adult learners with a wide range of technical aptitude, including K-12 Teachers, Principals, Administrators, Superintendents, Higher Ed Professors, Doctors, CTO’s, and Corporate Business Professionals and Executives. Jordan is an instructional designer and Community Manager for Instructure with a focus on connecting Canvas users with tools and resources that will help them get excited about and become proficient in utilizing the Canvas Learning Platform.