PT-2015-1107 · Openssl+4 · Openssl+4

Jeffrey Walton

Published

2015-04-09

Updated

2024-06-15

CVE-2015-1855

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.0.0 patchlevel 645 Ruby versions 2.1.x prior to 2.1.6 Ruby versions 2.2.x prior to 2.2.2

Description The issue concerns the improper validation of hostnames in the OpenSSL extension in Ruby, allowing remote attackers to spoof servers. This can be achieved through various vectors, including multiple wildcards, wildcards in IDNA names, case sensitivity, and non-ASCII characters. The vulnerability enables an attacker to substitute an SSL server using a specially crafted certificate.

Recommendations For Ruby versions prior to 2.0.0 patchlevel 645, update to a version that includes the necessary patches. For Ruby versions 2.1.x prior to 2.1.6, update to version 2.1.6 or later. For Ruby versions 2.2.x prior to 2.2.2, update to version 2.2.2 or later. As a temporary workaround, consider restricting the use of wildcard certificates in the OpenSSL extension until a patch is applied.

Fix

RCE

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-295

Related Identifiers

ALT-PU-2016-2061

BDU:2015-09978

CVE-2015-1855

DLA-224-1

DLA-235-1

DSA-3245-1

DSA-3246-1

DSA-3247-1

MGASA-2015-0178

OPENSUSE-SU-2017_1128-1

OPENSUSE-SU-2024:10090-1

OPENSUSE-SU-2024:10481-1

SUSE-SU-2015:1889-1

SUSE-SU-2017:0948-1

SUSE-SU-2017:1067-1

SUSE-SU-2017_0948-1

USN-3365-1

Affected Products

Alt Linux

Openssl

Ruby

Suse

Ubuntu

PT-2015-1107 · Openssl+4 · Openssl+4

CVE-2015-1855

Weakness Enumeration

Related Identifiers

Affected Products

References · 111