CVE-2014-2734
First published: Thu Apr 24 2014(Updated: )
** DISPUTED ** The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby | =2.0 | |
| Ruby | =2.0.0 | |
| Ruby | =2.0.0-p0 | |
| Ruby | =2.0.0-p195 | |
| Ruby | =2.0.0-p247 | |
| Ruby | =2.0.0-preview1 | |
| Ruby | =2.0.0-preview2 | |
| Ruby | =2.0.0-rc1 | |
| Ruby | =2.0.0-rc2 | |
| Ruby | =2.1 | |
| Ruby | =2.1-preview1 | |
| Ruby | =2.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/126218/Ruby-OpenSSL-Private-Key-Spoofing.html
- http://seclists.org/fulldisclosure/2014/Apr/231
- http://seclists.org/fulldisclosure/2014/May/13
- http://www.osvdb.org/106006
- http://www.securityfocus.com/bid/66956
- https://gist.github.com/10446549
- https://gist.github.com/emboss/91696b56cd227c8a0c13
- https://github.com/adrienthebo/cve-2014-2734/
- https://news.ycombinator.com/item?id=7601973
- https://www.ruby-lang.org/en/news/2014/05/09/dispute-of-vulnerability-cve-2014-2734/
Frequently Asked Questions
What is the severity of CVE-2014-2734?
CVE-2014-2734 is considered a medium severity vulnerability due to potential spoofing risks.
How do I fix CVE-2014-2734?
To remediate CVE-2014-2734, upgrade Ruby to a version that includes the fix for this vulnerability.
Which versions of Ruby are affected by CVE-2014-2734?
CVE-2014-2734 affects Ruby versions 2.0.x and 2.1.x.
Can CVE-2014-2734 lead to remote attacks?
Yes, CVE-2014-2734 allows remote attackers to spoof signatures, creating a potential remote exploitation vector.
Is CVE-2014-2734 a persistent vulnerability?
CVE-2014-2734 is not persistent as it requires specific conditions related to file handling in Ruby.
- agent/references
- agent/type
- agent/severity
- agent/weakness
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/ruby-lang
- canonical/ruby
- version/ruby/2.0
- version/ruby/2.0.0
- version/ruby/2.0.0-p0
- version/ruby/2.0.0-p195
- version/ruby/2.0.0-p247
- version/ruby/2.0.0-preview1
- version/ruby/2.0.0-preview2
- version/ruby/2.0.0-rc1
- version/ruby/2.0.0-rc2
- version/ruby/2.1
- version/ruby/2.1-preview1
- version/ruby/2.1.1
- status/disputed