No, Rails encrypts then signs, which means it verifies HMAC before it CBC-decrypts the message. It isn't vulnerable to this attack. What led you to say that it was?
JSF was vulnerable to this attack; Thai and Juliano, the researchers that other HN users are trashing on this thread, also found that flaw as well. I have to assume it's been fixed by now.
Their comment about MessageEncryptor is accurate, but I don't believe the bare #encrypt (which could create a vulnerability if exceptions weren't laundered) is used anywhere. Rails sessions are encrypted and then HMAC'd. This pattern isn't susceptable to padding side channels.