Bug 1491866 (CVE-2017-14033) - CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
Summary: CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
Status: CLOSED ERRATA
Alias: CVE-2017-14033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170914,repor...
Keywords: Security
Depends On: 1492016 1492017 1509448 1509449 1534437 1534438 1534937 1534941
Blocks: 1492024
TreeView+ depends on / blocked
 
Reported: 2017-09-14 21:29 UTC by Pedro Sampaio
Modified: 2019-06-08 22:21 UTC (History)
31 users (show)

(edit)
It was found that the decode method of the OpenSSL::ASN1 module was vulnerable to buffer underrun. An attacker could pass a specially crafted string to the application in order to crash the ruby interpreter, causing a denial of service.
Clone Of:
(edit)
Last Closed: 2017-12-19 12:15:02 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0378 normal SHIPPED_LIVE Important: ruby security update 2018-03-01 01:06:17 UTC
Red Hat Product Errata RHSA-2018:0583 None None None 2018-03-26 09:45 UTC
Red Hat Product Errata RHSA-2018:0585 None None None 2018-03-26 10:23 UTC

Description Pedro Sampaio 2017-09-14 21:29:20 UTC
There is a buffer underrun vulnerability in OpenSSL bundled by Ruby. If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.

References:

https://bugzilla.novell.com/show_bug.cgi?id=1058757
https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/

Comment 1 Adam Mariš 2017-09-15 09:37:17 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1492016]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1492017]

Comment 2 Fedora Update System 2017-10-02 14:25:07 UTC
ruby-2.4.2-84.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Cedric Buissart 🐶 2017-12-04 14:39:38 UTC
It appears that CVE-2017-14033 corresponds to a vulnerability reported via https://hackerone.com/reports/170316  (currently private).

The corresponding upstream fix in ruby-openssl:
is https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b

ruby-openssl v2.0.0, which contains the fix, was pulled in ruby-2.4.0, via the following commit:
https://github.com/ruby/ruby/commit/aab0d67a1ff5190ff7a951e40cee742210302aed

Thus it seems that, unlike stated upstream, ruby-2.4.0 isn't vulnerable to CVE-2017-14033

Comment 7 Cedric Buissart 🐶 2017-12-19 11:14:54 UTC
External References:

https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/

Comment 8 Cedric Buissart 🐶 2017-12-19 12:15:20 UTC
Statement:

This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of rh-ruby24-ruby.

This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 11 errata-xmlrpc 2018-02-28 20:02:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378

Comment 13 errata-xmlrpc 2018-03-26 09:45:15 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583

Comment 14 errata-xmlrpc 2018-03-26 10:23:21 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS

Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585


Note You need to log in before you can comment on or make changes to this bug.