Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

This update fixes multiple local and remote denial of service and remote code execute problems :

CVE-2011-0188 Properly allocate memory, to prevent arbitrary code execution or application crash. Reported by Drew Yao.

CVE-2011-2686

Reinitialize the random seed when forking to prevent CVE-2003-0900 like situations.

CVE-2011-2705 Modify PRNG state to prevent random number sequence repeatation at forked child process which has same pid. Reported by Eric Wong.

CVE-2011-4815

Fix a problem with predictable hash collisions resulting in denial of service (CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.

CVE-2014-8080

Fix REXML parser to prevent memory consumption denial of service via crafted XML documents. Reported by Willis Vandevanter.

CVE-2014-8090

Add REXML::Document#document to complement the fix for CVE-2014-8080.
Reported by Tomas Hoger.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Solaris system is missing necessary patches to address security updates :

  - Ruby (aka CRuby) before 1.8.7-p357 computes hash values     without restricting the ability to trigger hash     collisions predictably, which allows context-dependent     attackers to cause a denial of service (CPU consumption)     via crafted input to an application that maintains a     hash table. (CVE-2011-4815)

The remote host is affected by the vulnerability described in GLSA-201412-27 (Ruby: Denial of Service)

    Multiple vulnerabilities have been discovered in Ruby. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could possibly execute arbitrary code with       the privileges of the process, cause a Denial of Service condition, or       bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

This update of ruby provides 1.8.7p357, which contains many stability fixes and bug fixes, which are fully compatible with the previous version. You can review the detailed list here :

http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_357/ChangeLog

The particularly noteworthy fixes are :

  - Hash functions are now using a randomized seed to avoid     algorithmic complexity attacks (CVE-2011-4815). For this     OpenSSL::Random.seed at the SecureRandom.random_bytes is     used if available.

  - mkconfig.rb: fix for continued lines.

  - Fix Infinity to be greater than any bignum number.

  - initialize store->ex_data.sk.

  - some IPv6 related fixes

  - zlib fixes

  - reinitialize PRNG when forking children     (CVE-2011-2686/CVE-2011-3009)

  - securerandom fixes (CVE-2011-2705)

  - uri route_to fixes

  - fix race condition with variables and autoload

From Red Hat Security Advisory 2012:0070 :

Updated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815)

It was found that Ruby did not reinitialize the PRNG (pseudorandom number generator) after forking a child process. This could eventually lead to the PRNG returning the same result twice. An attacker keeping track of the values returned by one child process could use this flaw to predict the values the PRNG would return in other child processes (as long as the parent process persisted). (CVE-2011-3009)

Red Hat would like to thank oCERT for reporting CVE-2011-4815. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4815.

All users of ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

From Red Hat Security Advisory 2012:0069 :

Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815)

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters.

All users of ruby are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815)

All users of ruby are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815)

It was found that Ruby did not reinitialize the PRNG (pseudorandom number generator) after forking a child process. This could eventually lead to the PRNG returning the same result twice. An attacker keeping track of the values returned by one child process could use this flaw to predict the values the PRNG would return in other child processes (as long as the parent process persisted). (CVE-2011-3009)

All users of ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The remote host is running a version of Mac OS X 10.7 that is older than version 10.7.4.  The newer version contains numerous security-related fixes for the following components :

  - Login Windows
  - Bluetooth
  - curl
  - HFS
  - Kernel
  - libarchive
  - libsecurity
  - libxml
  - LoginUIFramework
  - PHP
  - Quartz Composer
  - QuickTime
  - Ruby
  - Security Framework
  - Time Machine
  - X11

The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-002 applied. This update contains multiple security-related fixes for the following components :

  - curl
  - Directory Service
  - ImageIO
  - libarchive
  - libsecurity
  - libxml
  - Quartz Composer
  - QuickTime
  - Ruby
  - Samba
  - Security Framework

The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components :

  - Login Window
  - Bluetooth
  - curl
  - HFS
  - Kernel
  - libarchive
  - libsecurity
  - libxml
  - LoginUIFramework
  - PHP
  - Quartz Composer
  - QuickTime
  - Ruby
  - Security Framework
  - Time Machine
  - X11

Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7.

A vulnerability has been found and corrected in ruby :

Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table (CVE-2011-4815).

The updated packages have been patched to correct this issue.

Drew Yao discovered that the WEBrick HTTP server was vulnerable to cross-site scripting attacks when displaying error pages. A remote attacker could use this flaw to run arbitrary web script.
(CVE-2010-0541)

Drew Yao discovered that Ruby's BigDecimal module did not properly allocate memory on 64-bit platforms. An attacker could use this flaw to cause a denial of service or possibly execute arbitrary code with user privileges. (CVE-2011-0188)

Nicholas Jefferson discovered that the FileUtils.remove_entry_secure method in Ruby did not properly remove non-empty directories. An attacker could use this flaw to possibly delete arbitrary files.
(CVE-2011-1004)

It was discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions. (CVE-2011-1005)

Eric Wong discovered that Ruby does not properly reseed its pseudorandom number generator when creating child processes. An attacker could use this flaw to gain knowledge of the random numbers used in other Ruby child processes. (CVE-2011-2686)

Eric Wong discovered that the SecureRandom module in Ruby did not properly seed its pseudorandom number generator. An attacker could use this flaw to gain knowledge of the random numbers used by another Ruby process with the same process ID number. (CVE-2011-2705)

Alexander Klink and Julian Walde discovered that Ruby computed hash values without restricting the ability to trigger hash collisions predictably. A remote attacker could cause a denial of service by crafting values used in hash tables. (CVE-2011-4815).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of ruby provides 1.8.7p357, which contains many stability fixes and bug fixes while maintaining full compatibility with the previous version. A detailailed list of changes is available from http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_357/ChangeLog .

The most important fixes are :

  - Hash functions are now using a randomized seed to avoid     algorithmic complexity attacks. If available,     OpenSSL::Random.seed at the SecureRandom.random_bytes is     used to achieve this. (CVE-2011-4815)

  - mkconfig.rb: fix for continued lines.

  - Fix Infinity to be greater than any bignum number.

  - Initialize store->ex_data.sk.

  - Several IPv6 related fixes.

  - Fixes for zlib.

  - Reinitialize PRNG when forking children. (CVE-2011-2686     / CVE-2011-3009)

  - Fixes to securerandom. (CVE-2011-2705)

  - Fix uri route_to

  - Fix race condition with variables and autoload.

Updated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815)

It was found that Ruby did not reinitialize the PRNG (pseudorandom number generator) after forking a child process. This could eventually lead to the PRNG returning the same result twice. An attacker keeping track of the values returned by one child process could use this flaw to predict the values the PRNG would return in other child processes (as long as the parent process persisted). (CVE-2011-3009)

Red Hat would like to thank oCERT for reporting CVE-2011-4815. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4815.

All users of ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2011-4815)

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters.

All users of ruby are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

oCERT reports :

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

The condition for predictable collisions in the hashing functions has been reported for the following language implementations : Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.

A security flaw was found on the previous ruby that with some series of strings which was specially crafted to intentionally collide their hash values with each other, rails applications may fall into denial of services when such strings are used in HTTP requests (CVE-2011-4815). This new ruby will fix this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
82233	Debian DLA-88-1 : ruby1.8 security update	Nessus	Debian Local Security Checks	high
80754	Oracle Solaris Third-Party Patch Update : ruby (cve_2011_4815_denial_of)	Nessus	Solaris Local Security Checks	high
79980	GLSA-201412-27 : Ruby: Denial of Service	Nessus	Gentoo Local Security Checks	high
76015	openSUSE Security Update : ruby (openSUSE-SU-2012:0228-1)	Nessus	SuSE Local Security Checks	high
69642	Amazon Linux AMI : ruby (ALAS-2012-35)	Nessus	Amazon Linux Local Security Checks	high
68441	Oracle Linux 4 / 5 : ruby (ELSA-2012-0070)	Nessus	Oracle Linux Local Security Checks	high
68440	Oracle Linux 6 : ruby (ELSA-2012-0069)	Nessus	Oracle Linux Local Security Checks	high
61229	Scientific Linux Security Update : ruby on SL6.x i386/x86_64 (20120130)	Nessus	Scientific Linux Local Security Checks	high
61228	Scientific Linux Security Update : ruby on SL4.x, SL5.x i386/x86_64 (20120130)	Nessus	Scientific Linux Local Security Checks	high
6482	Mac OS X 10.7 < 10.7.4 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
59067	Mac OS X Multiple Vulnerabilities (Security Update 2012-002) (BEAST)	Nessus	MacOS X Local Security Checks	critical
59066	Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)	Nessus	MacOS X Local Security Checks	critical
58163	Mandriva Linux Security Advisory : ruby (MDVSA-2012:024)	Nessus	Mandriva Local Security Checks	high
58146	Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : ruby1.8 vulnerabilities (USN-1377-1)	Nessus	Ubuntu Local Security Checks	high
57841	SuSE 11.1 Security Update : ruby (SAT Patch Number 5716)	Nessus	SuSE Local Security Checks	high
57840	SuSE 11.1 Security Update : ruby (SAT Patch Number 5716)	Nessus	SuSE Local Security Checks	high
57747	RHEL 4 / 5 : ruby (RHSA-2012:0070)	Nessus	Red Hat Local Security Checks	high
57746	RHEL 6 : ruby (RHSA-2012:0069)	Nessus	Red Hat Local Security Checks	high
57734	CentOS 4 / 5 : ruby (CESA-2012:0070)	Nessus	CentOS Local Security Checks	high
57733	CentOS 6 : ruby (CESA-2012:0069)	Nessus	CentOS Local Security Checks	high
57552	FreeBSD : Multiple implementations -- DoS via hash algorithm collision (91be81e7-3fea-11e1-afc7-2c4138874f7d)	Nessus	FreeBSD Local Security Checks	high
57478	Fedora 15 : ruby-1.8.7.357-1.fc15 (2011-17551)	Nessus	Fedora Local Security Checks	high
57477	Fedora 16 : ruby-1.8.7.357-1.fc16 (2011-17542)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2011-4815

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high