FreeBSD : ruby -- Hash-flooding DoS vulnerability for ruby 1.9 (5e647ca3-2aea-11e2-b745-001fd0af1a4c)

Medium Nessus Plugin ID 62886

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 2.7

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The official ruby site reports :

Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity.

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.

Solution

Update the affected package.

See Also

http://www.nessus.org/u?060da3e3

http://www.nessus.org/u?dc4c87bc

Plugin Details

Severity: Medium

ID: 62886

File Name: freebsd_pkg_5e647ca32aea11e2b745001fd0af1a4c.nasl

Version: 1.6

Type: local

Published: 2012/11/12

Updated: 2021/01/06

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 2.7

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ruby, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2012/11/10

Vulnerability Publication Date: 2012/11/10

Reference Information

CVE: CVE-2012-5371