CVE-2011-2705

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

References

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html

http://redmine.ruby-lang.org/issues/4579

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050

http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_352/ChangeLog

http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_290/ChangeLog

http://www.openwall.com/lists/oss-security/2011/07/11/1

http://www.openwall.com/lists/oss-security/2011/07/12/14

http://www.openwall.com/lists/oss-security/2011/07/20/1

http://www.openwall.com/lists/oss-security/2011/07/20/16

http://www.redhat.com/support/errata/RHSA-2011-1581.html

http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/

http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/

http://www.securityfocus.com/bid/49015

https://bugzilla.redhat.com/show_bug.cgi?id=722415

Details

Source: MITRE

Published: 2011-08-05

Updated: 2012-01-19

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p72:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-160:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-173:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-248:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-249:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-299:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-302:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7-330:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* versions up to 1.8.7-334 (inclusive)

cpe:2.3:a:ruby-lang:ruby:1.8.7-p21:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:ruby-lang:ruby:1.9:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9:r18423:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0:r18423:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0-0:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0-1:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0-2:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0-20060415:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.0-20070709:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-p0:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-p129:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-p243:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-p376:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-p429:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-preview_1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-preview_2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-rc1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.1:-rc2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.2:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.2:dev:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.2-p136:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.2-p180:*:*:*:*:*:*:*

Tenable Plugins

View all (9 total)

IDNameProductFamilySeverity
83907Debian DLA-235-1 : ruby1.9.1 security updateNessusDebian Local Security Checks
medium
82233Debian DLA-88-1 : ruby1.8 security updateNessusDebian Local Security Checks
high
76015openSUSE Security Update : ruby (openSUSE-SU-2012:0228-1)NessusSuSE Local Security Checks
high
58146Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : ruby1.8 vulnerabilities (USN-1377-1)NessusUbuntu Local Security Checks
high
57841SuSE 11.1 Security Update : ruby (SAT Patch Number 5716)NessusSuSE Local Security Checks
high
57840SuSE 11.1 Security Update : ruby (SAT Patch Number 5716)NessusSuSE Local Security Checks
high
57017RHEL 6 : ruby (RHSA-2011:1581)NessusRed Hat Local Security Checks
medium
55678Fedora 14 : ruby-1.8.7.352-1.fc14 (2011-9374)NessusFedora Local Security Checks
medium
55677Fedora 15 : ruby-1.8.7.352-1.fc15 (2011-9359)NessusFedora Local Security Checks
medium