I’m sure many of you have heard, but Ruby on Rails version 2.3.x is no longer supported by the core Rails development team. This change is going to have drastic consequences for the many organizations still using 2.3.x.
Why is 2.3x no longer being supported?
Rails version 2.3.x will no longer receive security patches and maintenance updates.
The decision to stop supporting 2.3.x comes not too long after two major security breaches that occurred earlier in January. These vulnerabilities allowed attackers to execute arbitrary code on practically every application run on Ruby on Rails, with the applications only needing to be connected to the Internet. Patrick McKenzie of Kalzumeus Software had an excellent writeup about the issue. These security issues were caused by a vulnerability with a serialization format known as YAML, which is able to ‘deserialize’ into arbitrary objects, which can result in the execution of arbitrary code.
With the release of Rails 4, the core Rails team no longer see it necessary to support it with the better options available.
What options are there for dealing with this change?
If you have been affected by this change in any way, you can’t close your eyes and pray that everything will be OK. That will probably end poorly. Libraries will quickly become out of date, causing errors and incompatibilities with your current systems. You basically have three options:
- The best solution is to upgrade your applications to Rails 3 or 4. However, this can be a time consuming task. Plugins and gems used for 2.3.x are not always compatible with Rails 3, and they need to be upgraded manually or with a compatible fork. Applications which call private methods and deal with the Rails core will probably need to be rewritten. In addition, Rails 3 provides default HTML escaping, which helps prevent XSS attacks. Older applications that return HTML may need to be modified and marked as harmless.
- Provide your own support for 2.3.x. This option is only feasible for organizations with a great software development team that can dedicate a portion of their time to constantly address new security issues for Rails. This is made easier if you use an error-tracking tool (hint hint).
- Find and implement a commercial fork for Rails 2.3.x. A German company called Makandra has created such a fork, known as Rails LTS. This company supports 2.3.x in the same way that the Rails Core team used to, guaranteeing timely updates and the proper security patches when necessary. They also provide help with integrating Rails LTS into current systems. Rails LTS is free for the general community (with a patch delay of 10 days), about $195 per month for a startup license, $520 for a standard license, and $975 for an enterprise license.
Without taking some countermeasures, the lack of support for Rails 2.3.x means that systems running it will soon be (or already are) vulnerable in highly critical areas. Make sure this isn’t you!