CVE-2014-2734
First published: Thu Apr 24 2014(Updated: )
** DISPUTED ** The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby-lang Ruby | =2.0 | |
| Ruby-lang Ruby | =2.0.0 | |
| Ruby-lang Ruby | =2.0.0-p0 | |
| Ruby-lang Ruby | =2.0.0-p195 | |
| Ruby-lang Ruby | =2.0.0-p247 | |
| Ruby-lang Ruby | =2.0.0-preview1 | |
| Ruby-lang Ruby | =2.0.0-preview2 | |
| Ruby-lang Ruby | =2.0.0-rc1 | |
| Ruby-lang Ruby | =2.0.0-rc2 | |
| Ruby-lang Ruby | =2.1 | |
| Ruby-lang Ruby | =2.1-preview1 | |
| Ruby-lang Ruby | =2.1.1 | |
| =2.0 | ||
| =2.0.0 | ||
| =2.0.0-p0 | ||
| =2.0.0-p195 | ||
| =2.0.0-p247 | ||
| =2.0.0-preview1 | ||
| =2.0.0-preview2 | ||
| =2.0.0-rc1 | ||
| =2.0.0-rc2 | ||
| =2.1 | ||
| =2.1-preview1 | ||
| =2.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/126218/Ruby-OpenSSL-Private-Key-Spoofing.html
- http://seclists.org/fulldisclosure/2014/Apr/231
- http://seclists.org/fulldisclosure/2014/May/13
- http://www.osvdb.org/106006
- http://www.securityfocus.com/bid/66956
- https://gist.github.com/10446549
- https://gist.github.com/emboss/91696b56cd227c8a0c13
- https://github.com/adrienthebo/cve-2014-2734/
- https://news.ycombinator.com/item?id=7601973
- https://www.ruby-lang.org/en/news/2014/05/09/dispute-of-vulnerability-cve-2014-2734/
- collector/nvd-index
- agent/references
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- status/disputed
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/2.0
- version/ruby-lang ruby/2.0.0
- version/ruby-lang ruby/2.0.0-p0
- version/ruby-lang ruby/2.0.0-p195
- version/ruby-lang ruby/2.0.0-p247
- version/ruby-lang ruby/2.0.0-preview1
- version/ruby-lang ruby/2.0.0-preview2
- version/ruby-lang ruby/2.0.0-rc1
- version/ruby-lang ruby/2.0.0-rc2
- version/ruby-lang ruby/2.1
- version/ruby-lang ruby/2.1-preview1
- version/ruby-lang ruby/2.1.1