CVE-2015-1855 Ruby OpenSSL Hostname Verification
- Ruby OpenSSL Hostname Verification
Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492.
This vulnerability affects the following Ruby versions:
- All ruby 2.0 versions prior to ruby 2.0.0 patchlevel 645
- All ruby 2.1 versions prior to ruby 2.1.6
- All ruby 2.2 versions prior to ruby 2.2.2
- Ruby trunk prior to revision 50292
Severity is moderate unless otherwise noted.
- Pivotal Cloud Foundry Elastic Runtime versions prior to 1.5.
- Operations Manager versions prior to 1.4.1.
- Ruby Cloud Foundry buildpack versions prior to 1.3.1.
- MongoDB for PCF versions prior to 1.4.0
- Neo4J for PCF versions prior to 1.4.0
Users of affected versions should apply the following mitigation:
- Ruby’s OpenSSL extension was enhanced to provide a string-based matching algorithm which follows more strict behavior, as recommended by relevant RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. Also, comparison of these values are now case-insensitive.
- This change affects Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.
- Only one wildcard character in the left-most part of the hostname is allowed.
- IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
- Subject/SAN should be limited to ASCII characters only.
- This vulnerability is addressed in Cloud Foundry ruby-buildpack v1.3.1 and later, which is available at network.pivotal.io.
- Applications that specify a vulnerable version of ruby should update that dependency to require “2.2.2”, “2.1.6”, or “2.0.0.p645”.
- Pivotal will bundle a version of the Ruby buildpack that addresses this vulnerability in Pivotal Cloud Foundry Elastic Runtime version 1.5.
Tony Arcieri, Jeffrey Walton and Steffan Ullrich