The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."

From Red Hat Security Advisory 2008:0897 :

Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Ruby is an interpreted scripting language for quick and easy object-oriented programming.

The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs and a fixed source port when sending DNS requests. A remote attacker could use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)

Ruby's XML document parsing module (REXML) was prone to a denial of service attack via XML documents with large XML entity definitions recursion. A specially crafted XML file could cause a Ruby application using the REXML module to use an excessive amount of CPU and memory.
(CVE-2008-3790)

An insufficient 'taintness' check flaw was discovered in Ruby's DL module, which provides direct access to the C language functions. An attacker could use this flaw to bypass intended safe-level restrictions by calling external C functions with the arguments from an untrusted tainted inputs. (CVE-2008-3657)

A denial of service flaw was discovered in WEBrick, Ruby's HTTP server toolkit. A remote attacker could send a specially crafted HTTP request to a WEBrick server that would cause the server to use an excessive amount of CPU time. (CVE-2008-3656)

A number of flaws were found in the safe-level restrictions in Ruby.
It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite-loop and crash. (CVE-2008-3443)

Users of ruby should upgrade to these updated packages, which contain backported patches to resolve these issues.

The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs and a fixed source port when sending DNS requests. A remote attacker could use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)

Ruby's XML document parsing module (REXML) was prone to a denial of service attack via XML documents with large XML entity definitions recursion. A specially crafted XML file could cause a Ruby application using the REXML module to use an excessive amount of CPU and memory.
(CVE-2008-3790)

An insufficient 'taintness' check flaw was discovered in Ruby's DL module, which provides direct access to the C language functions. An attacker could use this flaw to bypass intended safe-level restrictions by calling external C functions with the arguments from an untrusted tainted inputs. (CVE-2008-3657)

A denial of service flaw was discovered in WEBrick, Ruby's HTTP server toolkit. A remote attacker could send a specially crafted HTTP request to a WEBrick server that would cause the server to use an excessive amount of CPU time. (CVE-2008-3656)

A number of flaws were found in the safe-level restrictions in Ruby.
It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite-loop and crash. (CVE-2008-3443)

This ruby update improves return value checks for openssl function OCSP_basic_verify() (CVE-2009-0642) which allowed an attacker to use revoked certificates. The entropy of DNS identifiers was increased (CVE-2008-3905) to avaid spoofing attacks. The code for parsing XML data was vulnerable to a denial of service bug (CVE-2008-3790). An attack on algorithm complexity was possible in function WEBrick::HTTP::DefaultFileHandler() while parsing HTTP requests (CVE-2008-3656) as well as by using the regex engine (CVE-2008-3443) causing high CPU load. Ruby's access restriction code (CVE-2008-3655) as well as safe-level handling using function DL.dlopen() (CVE-2008-3657) and big decimal handling (CVE-2009-1904) was improved.
Bypassing HTTP basic authentication (authenticate_with_http_digest) is not possible anymore.

This ruby update improves return value checks for openssl function OCSP_basic_verify() (CVE-2009-0642) which allowed an attacker to use revoked certificates.

The entropy of DNS identifiers was increased (CVE-2008-3905) to avaid spoofing attacks.

The code for parsing XML data was vulnerable to a denial of service bug. (CVE-2008-3790)

An attack on algorithm complexity was possible in function WEBrick::HTTP::DefaultFileHandler() while parsing HTTP requests (CVE-2008-3656) as well as by using the regex engine (CVE-2008-3443) causing high CPU load.

Ruby's access restriction code (CVE-2008-3655) as well as safe-level handling using function DL.dlopen() (CVE-2008-3657) and big decimal handling (CVE-2009-1904) was improved.

Bypassing HTTP basic authentication (authenticate_with_http_digest) is not possible anymore.

This update for ruby fixes the following security issues : 

  - Improve return value checks for OpenSSL function     OCSP_basic_verify() to refuse usage of revoked     certificates. (CVE-2009-0642)

  - Increase entropy of DNS identifiers to avoid spoofing     attacks. (CVE-2008-3905)

  - Fix denial of service (DoS) vulnerability while parsing     XML data. (CVE-2008-3790) 

  - Fix possible attack on algorithm complexity in function     WEBrick::HTTP::DefaultFileHandler() while parsing HTTP     requests or by using the regex engine to cause high CPU     load. (CVE-2008-3656, CVE-2008-3443)

  - Improve ruby's access restriction code. (CVE-2008-3655)

  - Improve safe-level handling using function DL.dlopen().
    (CVE-2008-3657)

  - Improve big decimal handling. (CVE-2009-1904)

  - Disable bypassing of HTTP basic authentication     (authenticate_with_http_digest).

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. 

Mac OS X 10.5.7 contains security fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CFNetwork
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - iChat
  - International Components for Unicode
  - IPSec
  - Kerberos
  - Kernel
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - Networking
  - OpenSSL
  - PHP
  - QuickDraw Manager
  - ruby
  - Safari
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - WebKit
  - X11

The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied.

This security update contains fixes for the following products :

  - Apache
  - ATS
  - BIND
  - CoreGraphics
  - Cscope
  - CUPS
  - Disk Images
  - enscript
  - Flash Player plug-in
  - Help Viewer
  - IPSec
  - Kerberos
  - Launch Services
  - libxml
  - Net-SNMP
  - Network Time
  - OpenSSL
  - QuickDraw Manager
  - Spotlight
  - system_cmds
  - telnet
  - Terminal
  - X11

A denial of service condition was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite loop and crash (CVE-2008-3443).

A number of flaws were found in Ruby that could allow an attacker to create a carefully crafted script that could allow for the bypass of certain safe-level restrictions (CVE-2008-3655).

A denial of service vulnerability was found in Ruby's HTTP server toolkit, WEBrick. A remote attacker could send a specially crafted HTTP request to a WEBrick server that would cause it to use an excessive amount of CPU time (CVE-2008-3656).

An insufficient taintness check issue was found in Ruby's DL module, a module that provides direct access to the C language functions. This flaw could be used by an attacker to bypass intended safe-level restrictions by calling external C functions with the arguments from an untrusted tainted input (CVE-2008-3657).

A denial of service condition in Ruby's XML document parsing module (REXML) could cause a Ruby application using the REXML module to use an excessive amount of CPU and memory via XML documents with large XML entitity definitions recursion (CVE-2008-3790).

The Ruby DNS resolver library used predictable transaction IDs and a fixed source port when sending DNS requests. This could be used by a remote attacker to spoof a malicious reply to a DNS query (CVE-2008-3905).

The updated packages have been patched to correct these issues.

Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443)

This update also fixes a regression in the upstream patch previously applied to fix CVE-2008-3790. The regression would cause parsing of some XML documents to fail.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Akira Tagoh discovered a vulnerability in Ruby which lead to an integer overflow. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2376)

Laurent Gaffie discovered that Ruby did not properly check for memory allocation failures. If a user or automated system were tricked into running a malicious script, an attacker could cause a denial of service. (CVE-2008-3443)

Keita Yamaguchi discovered several safe level vulnerabilities in Ruby.
An attacker could use this to bypass intended access restrictions.
(CVE-2008-3655)

Keita Yamaguchi discovered that WEBrick in Ruby did not properly validate paths ending with '.'. A remote attacker could send a crafted HTTP request and cause a denial of service. (CVE-2008-3656)

Keita Yamaguchi discovered that the dl module in Ruby did not check the taintness of inputs. An attacker could exploit this vulnerability to bypass safe levels and execute dangerous functions. (CVE-2008-3657)

Luka Treiber and Mitja Kolsek discovered that REXML in Ruby did not always use expansion limits when processing XML documents. If a user or automated system were tricked into open a crafted XML file, an attacker could cause a denial of service via CPU consumption.
(CVE-2008-3790)

Jan Lieskovsky discovered several flaws in the name resolver of Ruby.
A remote attacker could exploit this to spoof DNS entries, which could lead to misdirected traffic. This is a different vulnerability from CVE-2008-1447. (CVE-2008-3905).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200812-17 (Ruby: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Ruby interpreter     and its standard libraries. Drew Yao of Apple Product Security     discovered the following flaws:
    Arbitrary code execution     or Denial of Service (memory corruption) in the rb_str_buf_append()     function (CVE-2008-2662).
    Arbitrary code execution or Denial     of Service (memory corruption) in the rb_ary_stor() function     (CVE-2008-2663).
    Memory corruption via alloca in the     rb_str_format() function (CVE-2008-2664).
    Memory corruption     ('REALLOC_N') in the rb_ary_splice() and rb_ary_replace() functions     (CVE-2008-2725).
    Memory corruption ('beg + rlen') in the     rb_ary_splice() and rb_ary_replace() functions (CVE-2008-2726).
    Furthermore, several other vulnerabilities have been reported:
    Tanaka Akira reported an issue with resolv.rb that enables     attackers to spoof DNS responses (CVE-2008-1447).
    Akira Tagoh     of RedHat discovered a Denial of Service (crash) issue in the     rb_ary_fill() function in array.c (CVE-2008-2376).
    Several     safe level bypass vulnerabilities were discovered and reported by Keita     Yamaguchi (CVE-2008-3655).
    Christian Neukirchen is credited     for discovering a Denial of Service (CPU consumption) attack in the     WEBRick HTTP server (CVE-2008-3656).
    A fault in the dl module     allowed the circumvention of taintness checks which could possibly lead     to insecure code execution was reported by 'sheepman'     (CVE-2008-3657).
    Tanaka Akira again found a DNS spoofing     vulnerability caused by the resolv.rb implementation using poor     randomness (CVE-2008-3905).
    Luka Treiber and Mitja Kolsek     (ACROS Security) disclosed a Denial of Service (CPU consumption)     vulnerability in the REXML module when dealing with recursive entity     expansion (CVE-2008-3790).
  Impact :

    These vulnerabilities allow remote attackers to execute arbitrary code,     spoof DNS responses, bypass Ruby's built-in security and taintness     checks, and cause a Denial of Service via crash or CPU exhaustion.
  Workaround :

    There is no known workaround at this time.

Updated ruby packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Ruby is an interpreted scripting language for quick and easy object-oriented programming.

The Ruby DNS resolver library, resolv.rb, used predictable transaction IDs and a fixed source port when sending DNS requests. A remote attacker could use this flaw to spoof a malicious reply to a DNS query. (CVE-2008-3905)

Ruby's XML document parsing module (REXML) was prone to a denial of service attack via XML documents with large XML entity definitions recursion. A specially crafted XML file could cause a Ruby application using the REXML module to use an excessive amount of CPU and memory.
(CVE-2008-3790)

An insufficient 'taintness' check flaw was discovered in Ruby's DL module, which provides direct access to the C language functions. An attacker could use this flaw to bypass intended safe-level restrictions by calling external C functions with the arguments from an untrusted tainted inputs. (CVE-2008-3657)

A denial of service flaw was discovered in WEBrick, Ruby's HTTP server toolkit. A remote attacker could send a specially crafted HTTP request to a WEBrick server that would cause the server to use an excessive amount of CPU time. (CVE-2008-3656)

A number of flaws were found in the safe-level restrictions in Ruby.
It was possible for an attacker to create a carefully crafted malicious script that can allow the bypass of certain safe-level restrictions. (CVE-2008-3655)

A denial of service flaw was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite-loop and crash. (CVE-2008-3443)

Users of ruby should upgrade to these updated packages, which contain backported patches to resolve these issues.

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3655     Keita Yamaguchi discovered that several safe level     restrictions are insufficiently enforced.

  - CVE-2008-3656     Christian Neukirchen discovered that the WebRick module     uses inefficient algorithms for HTTP header splitting,     resulting in denial of service through resource     exhaustion.

  - CVE-2008-3657     It was discovered that the dl module doesn't perform     taintness checks.

  - CVE-2008-3790     Luka Treiber and Mitja Kolsek discovered that     recursively nested XML entities can lead to denial of     service through resource exhaustion in rexml.

  - CVE-2008-3905     Tanaka Akira discovered that the resolv module uses     sequential transaction IDs and a fixed source port for     DNS queries, which makes it more vulnerable to DNS     spoofing attacks.

Update to new upstream release fixing multiple security issues detailed in the upstream advisories:
http://www.ruby-lang.org/en/news/2008/08/08/multiple- vulnerabilities-in-ruby/ - CVE-2008-3655 - multiple insufficient safe mode restrictions - CVE-2008-3656 - WEBrick DoS vulnerability (CPU consumption) - CVE-2008-3657 - missing 'taintness' checks in dl module
- CVE-2008-3905 - resolv.rb adds random transactions ids and source ports to prevent DNS spoofing attacks http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in- rexml/ - CVE-2008-3790 - DoS in the REXML module One issue not covered by any upstream advisory: - CVE-2008-3443 - DoS in the regular expression engine

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X 10.5 that is older than version 10.5.7.  Mac OS X 10.5.7 contains security fixes for the following products : 

- Apache
- ATS
- BIND
- CFNetwork
- CoreGraphics
-Cscope
- CUPS
- Disk Images
- enscript
- Flash player
- Help Viewer
- iChat
- Internation Components for Unicode
- IPSec
- Kerberos
- Kernel
- Launch Services
- libxml
- Net-SNMP
- Network Time
- Networking
- OpenSSL
- PHP
- QuickDraw Manager
- ruby
- Safari
- Spotlight
- system_cmds
- telnet
- WebKit
- X11
- Terminal

ID	Name	Product	Family	Severity
67752	Oracle Linux 4 / 5 : ruby (ELSA-2008-0897)	Nessus	Oracle Linux Local Security Checks	high
60485	Scientific Linux Security Update : ruby on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
51760	SuSE 10 Security Update : ruby (ZYPP Patch Number 6338)	Nessus	SuSE Local Security Checks	high
42032	openSUSE 10 Security Update : ruby (ruby-6339)	Nessus	SuSE Local Security Checks	high
41452	SuSE 11 Security Update : ruby (SAT Patch Number 1073)	Nessus	SuSE Local Security Checks	high
41312	SuSE9 Security Update : ruby (YOU Patch Number 12452)	Nessus	SuSE Local Security Checks	high
40306	openSUSE Security Update : ruby (ruby-1070)	Nessus	SuSE Local Security Checks	high
40122	openSUSE Security Update : ruby (ruby-1070)	Nessus	SuSE Local Security Checks	high
38744	Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
38743	Mac OS X Multiple Vulnerabilities (Security Update 2009-002)	Nessus	MacOS X Local Security Checks	critical
38018	Mandriva Linux Security Advisory : ruby (MDVSA-2008:226)	Nessus	Mandriva Local Security Checks	high
37474	Ubuntu 8.10 : ruby1.9 vulnerability (USN-691-1)	Nessus	Ubuntu Local Security Checks	medium
37068	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : ruby1.8 vulnerabilities (USN-651-1)	Nessus	Ubuntu Local Security Checks	high
35188	GLSA-200812-17 : Ruby: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
34502	CentOS 4 / 5 : ruby (CESA-2008:0897)	Nessus	CentOS Local Security Checks	high
34466	RHEL 4 / 5 : ruby (RHSA-2008:0897)	Nessus	Red Hat Local Security Checks	high
34388	Debian DSA-1652-1 : ruby1.9 - several vulnerabilities	Nessus	Debian Local Security Checks	high
34387	Debian DSA-1651-1 : ruby1.8 - several vulnerabilities	Nessus	Debian Local Security Checks	high
34380	Fedora 9 : ruby-1.8.6.287-2.fc9 (2008-8738)	Nessus	Fedora Local Security Checks	high
34379	Fedora 8 : ruby-1.8.6.287-2.fc8 (2008-8736)	Nessus	Fedora Local Security Checks	high
5023	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
800792	Mac OS X 10.5 < 10.5.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high

Detections

Analytics

CVE-2008-3790

high

Tenable Plugins

high

high

high

high

high

high

high

high

critical

critical

high

medium

high

critical

high

high

high

high

high

high

critical

high