Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” References: https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
This was fixed upstream in Ruby versions 3.0.2, 2.7.4, and 2.6.8: https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
Upstream commit in Ruby: https://git.ruby-lang.org/ruby.git/commit/?id=e2ac25d0eb66de99f098d6669cf4f06796aa6256 Note that Ruby 3.1 will no longer include Net::IMAP in its standard library, but will rather bundle net-imap gem. The fix for this issue in the net-imap repo is: https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891 Fixed in net-imap 0.2.2.
HackerOne report with additional details: https://hackerone.com/reports/1178562
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1980570] Created ruby:2.5/ruby tracking bugs for this issue: Affects: fedora-34 [bug 1980571] Created ruby:2.6/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980567] Created ruby:2.7/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980568] Created ruby:master/ruby tracking bugs for this issue: Affects: fedora-all [bug 1980569]
The support for the STARTTLS was added to Net::IMAP in net-imap 0.1.0 / ruby 1.9.0. Ruby versions prior to 1.9.0 are not affected by this issue.
Red Hat CloudForms 5.11 does not ship Ruby or RubyGem net-imap and thus not affected by the flaw. Ruby in the product consumed by respective RHEL repo.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-32066
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0672 https://access.redhat.com/errata/RHSA-2022:0672
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708