Posted by zzak on 13 Apr 2015
Ruby’s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492. Similar issues were found in Python.
This vulnerability has been assigned the CVE identifier CVE-2015-1855.
We strongly recommend you upgrade Ruby.
Details
After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.
Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values is now case-insensitive.
This change will affect Ruby’s OpenSSL::SSL#verify_certificate_identity behavior.
Specifically:
- Only one wildcard character in the left-most part of the hostname is allowed.
- IDNA names can now only be matched by a simple wildcard (e.g. ‘*.domain’).
- Subject/SAN should be limited to ASCII characters only.
All users running an affected release should upgrade immediately.
Affected versions
- All Ruby 2.0 versions prior to Ruby 2.0.0 patchlevel 645
- All Ruby 2.1 versions prior to Ruby 2.1.6
- All Ruby 2.2 versions prior to Ruby 2.2.2
- prior to trunk revision 50292
Credits
Thanks to Tony Arcieri, Jeffrey Walton, and Steffan Ullrich for reporting this issue. Originally reported as Bug #9644, and patches submitted by Tony Arcieri and Hiroshi Nakamura.
History
- Originally published at 2015-04-13 12:00:00 (UTC)