Posted by usa on 17 Oct 2018
The equality check of OpenSSL::X509::Name
is not correct in the openssl
extension library bundled with Ruby.
This vulnerability has been assigned the CVE identifier
CVE-2018-16395.
Details
An instance of OpenSSL::X509::Name
contains entities such as CN, C,
and so on. Some two instances of OpenSSL::X509::Name
are equal only
when all entities are exactly equal. However, there is a bug that the
equality check is not correct if the value of an entity of the argument
(right-hand side) starts with the value of the receiver (left-hand side).
So, if a malicious X.509 certificate is passed to compare with an
existing certificate, there is a possibility to be judged incorrectly
that they are equal.
It is strongly recommended for Ruby users to upgrade your Ruby installation or take one of the following workarounds as soon as possible.
Affected Versions
- Ruby 2.3 series: 2.3.7 and earlier
- Ruby 2.4 series: 2.4.4 and earlier
- Ruby 2.5 series: 2.5.1 and earlier
- Ruby 2.6 series: 2.6.0-preview2 and earlier
- prior to trunk revision r65139
Workaround
The openssl 2.1.2 gem or later includes a fix for the vulnerability, so upgrade the openssl gem to the latest version if you are using Ruby 2.4 or a later series.
gem install openssl -v ">= 2.1.2"
However, in the Ruby 2.3 series, you can not override the bundled version of openssl with the openssl gem. Please upgrade your Ruby installation to the latest version.
Credit
Thanks to Tyler Eckstein for reporting the issue.
History
- Originally published at 2018-10-17 14:00:00 (UTC)
- Mention the fixed revision of trunk at 2018-10-19 00:00:00 (UTC)