Bug 1643086 (CVE-2018-16395)

Summary: CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, bkearney, bmcclain, cbillett, dbaker, dblechte, dfediuck, eedri, hhorak, jaruga, jokerman, jorton, mgoldboi, michal.skrivanek, mo, mtasaka, pvalena, ruby-maint, sbonazzo, sherold, s, sthangav, strzibny, tomckay, trankin, vanmeeuwen+fedora, vondruch, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-30 09:34:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1643091, 1643092, 1643627, 1643628, 1643629, 1643630, 1643631, 1643632, 1643633, 1643634, 1643635, 1719433, 1719434    
Bug Blocks: 1643090    

Description Andrej Nemec 2018-10-25 13:35:45 UTC
An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). So, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

External References:

https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

Comment 1 Andrej Nemec 2018-10-25 13:40:40 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1643091]

Comment 4 Scott Gayou 2018-10-26 16:01:24 UTC
Upstream Hackerone Report:

https://hackerone.com/reports/387250

Comment 8 Doran Moppert 2018-11-19 05:00:49 UTC
Statement:

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Important, and is not currently planned to be addressed in future updates.

Red Hat Virtualization includes a vulnerable version of ruby, however the affected functionality is not used in Red Hat Virtualization or any of its dependencies. A future update may address this issue.

Comment 9 errata-xmlrpc 2018-11-29 09:56:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3729

Comment 10 errata-xmlrpc 2018-11-29 10:11:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3730

Comment 11 errata-xmlrpc 2018-11-29 10:22:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2018:3731

Comment 12 errata-xmlrpc 2018-11-29 22:22:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3738 https://access.redhat.com/errata/RHSA-2018:3738

Comment 14 errata-xmlrpc 2019-07-30 09:09:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1948 https://access.redhat.com/errata/RHSA-2019:1948

Comment 15 errata-xmlrpc 2019-08-27 11:06:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2565 https://access.redhat.com/errata/RHSA-2019:2565