Earlier today, the Ruby community was made aware of a potentially serious breach to Rubygems.org, the external library hosting system used exhaustively in Ruby. The center of the problem was an exploit in a YAML parser that allowed for arbitrary code execution. In this case, a gem was uploaded to Rubygems.org that executed code that copied four configuration files for Rubygems.org itself to a public pasteboard. Beyond the seriousness of a remote code execution exploit, these configuration files contained secure information that could have been used to compromise Rubygems.org’s systems and all hosted gems.
This exploit had the potential for an attacker to add malicious code into any of the gems hosted by Rubygems.org. While the Rubygems team has been diligently auditing their logs and verifying the integrity of the hosted gems, we decided it would be best for our customers if we verified that there is no security threat present in the New Relic RPM gems ourselves.
Verifying New Relic’s Hosted Gems
To verify the gem files that currently exist on Rubygems.org had not been modified from the versions we originally pushed, we verified them against the results of our continuous integration system. Gems that are produced by our continuous integration builds are tested in multiple phases before being released to Rubygems.org. With this information, we were able to confirm that the gem that was packaged for release is the same gem that we tested against, and that it is the same gem actually hosted on Rubygems.org.
We generated the SHA256 hash of the files from our build system and compared them against the SHA hash from the gems hosted on Rubygems.org. In all cases, the SHAs matched and we are confident that the gems hosted on Rubygems.org are the same we released, and therefore safe for you to install.
The hashes for the last seven gem releases are as follows:
You can use these hashes to verify against the gems in your cache. Your gem directory can be found by running ““gem environment gemdir““, your gem cache is in the cache directory. If you are on a UNIX like system, you can run the following command to check every version in your cache:
[sourcecode language=”ruby”]find `gem environment gemdir`/cache -iname ‘newrelic_rpm*’ | xargs openssl sha256[/sourcecode]
If you’d like to verify the hash for every gem on your system, the community has assembled a number of scripts to do the heavy lifting. You can use the appropriate script from this gist to check all of your machine’s gems.
Reporting Security Concerns to New Relic
If you discover a security vulnerability in any piece of software, contacting the software maintainers privately should be your first course of action. If you believe you have identified a security vulnerability in any software maintained by New Relic, please email email@example.com to report the issue.