All Vulnerability Reports

CVE-2015-1855 Ruby OpenSSL Hostname Verification


Severity

Moderate

Vendor

N/A

Versions Affected

  • Ruby OpenSSL Hostname Verification

Description

Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492.

This vulnerability affects the following Ruby versions:

  • All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 645
  • All ruby 2.1 versions prior to ruby 2.1.6
  • All ruby 2.2 versions prior to ruby 2.2.2
  • Ruby trunk prior to revision 50292

Affected VMware Products and Versions

Severity is moderate unless otherwise noted.

  • Pivotal Cloud Foundry Elastic Runtime versions prior to 1.5.
  • Operations Manager versions prior to 1.4.1.
  • Ruby Cloud Foundry buildpack versions prior to 1.3.1.
  • MongoDB for PCF versions prior to 1.4.0
  • Neo4J for PCF versions prior to 1.4.0

Mitigation

Users of affected versions should apply the following mitigation:

  • Ruby’s OpenSSL extension was enhanced to provide a string-based matching algorithm which follows more strict behavior, as recommended by relevant RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. Also, comparison of these values are now case-insensitive.
  • This change affects Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.
  • Specifically:
    • Only one wildcard character in the left-most part of the hostname is allowed.
    • IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
    • Subject/SAN should be limited to ASCII characters only.
  • This vulnerability is addressed in Cloud Foundry ruby-buildpack v1.3.1 and later, which is available at network.pivotal.io.
    • Applications that specify a vulnerable version of ruby should update that dependency to require “2.2.2”, “2.1.6”, or “2.0.0.p645”.
  • Pivotal will bundle a version of the Ruby buildpack that addresses this vulnerability in Pivotal Cloud Foundry Elastic Runtime version 1.5.

Credit

Tony Arcieri, Jeffrey Walton and Steffan Ullrich

References