Amazon Linux AMI update for ruby19, ruby20, ruby21, ruby22

Published: 2016-01-18

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2015-7551
CWE-ID	CWE-20
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Input validation error

EUVDB-ID: #VU32356

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2015-7551

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library.

Mitigation

Update the affected packages:

i686:
    rubygem22-psych-2.0.8-1.8.amzn1.i686
    ruby22-debuginfo-2.2.4-1.8.amzn1.i686
    ruby22-2.2.4-1.8.amzn1.i686
    rubygem22-io-console-0.4.3-1.8.amzn1.i686
    ruby22-devel-2.2.4-1.8.amzn1.i686
    ruby22-libs-2.2.4-1.8.amzn1.i686
    rubygem22-bigdecimal-1.2.6-1.8.amzn1.i686
    ruby21-libs-2.1.8-1.19.amzn1.i686
    rubygem21-io-console-0.4.3-1.19.amzn1.i686
    ruby21-devel-2.1.8-1.19.amzn1.i686
    ruby21-debuginfo-2.1.8-1.19.amzn1.i686
    rubygem21-psych-2.0.5-1.19.amzn1.i686
    rubygem21-bigdecimal-1.2.4-1.19.amzn1.i686
    ruby21-2.1.8-1.19.amzn1.i686
    rubygem19-io-console-0.3-32.70.amzn1.i686
    ruby19-libs-1.9.3.551-32.70.amzn1.i686
    rubygem19-bigdecimal-1.1.0-32.70.amzn1.i686
    ruby19-devel-1.9.3.551-32.70.amzn1.i686
    ruby19-1.9.3.551-32.70.amzn1.i686
    ruby19-doc-1.9.3.551-32.70.amzn1.i686
    rubygem19-json-1.5.5-32.70.amzn1.i686
    ruby19-debuginfo-1.9.3.551-32.70.amzn1.i686
    ruby20-2.0.0.648-1.29.amzn1.i686
    rubygem20-io-console-0.4.2-1.29.amzn1.i686
    ruby20-libs-2.0.0.648-1.29.amzn1.i686
    ruby20-debuginfo-2.0.0.648-1.29.amzn1.i686
    rubygem20-bigdecimal-1.2.0-1.29.amzn1.i686
    ruby20-devel-2.0.0.648-1.29.amzn1.i686
    rubygem20-psych-2.0.0-1.29.amzn1.i686

noarch:
    ruby22-irb-2.2.4-1.8.amzn1.noarch
    rubygems22-devel-2.4.5.1-1.8.amzn1.noarch
    ruby22-doc-2.2.4-1.8.amzn1.noarch
    rubygems22-2.4.5.1-1.8.amzn1.noarch
    ruby21-doc-2.1.8-1.19.amzn1.noarch
    ruby21-irb-2.1.8-1.19.amzn1.noarch
    rubygems21-devel-2.2.5-1.19.amzn1.noarch
    rubygems21-2.2.5-1.19.amzn1.noarch
    rubygems19-1.8.23.2-32.70.amzn1.noarch
    rubygems19-devel-1.8.23.2-32.70.amzn1.noarch
    rubygem19-rake-0.9.2.2-32.70.amzn1.noarch
    ruby19-irb-1.9.3.551-32.70.amzn1.noarch
    rubygem19-minitest-2.5.1-32.70.amzn1.noarch
    rubygem19-rdoc-3.9.5-32.70.amzn1.noarch
    rubygems20-2.0.14.1-1.29.amzn1.noarch
    ruby20-doc-2.0.0.648-1.29.amzn1.noarch
    rubygems20-devel-2.0.14.1-1.29.amzn1.noarch
    ruby20-irb-2.0.0.648-1.29.amzn1.noarch

src:
    ruby22-2.2.4-1.8.amzn1.src
    ruby21-2.1.8-1.19.amzn1.src
    ruby19-1.9.3.551-32.70.amzn1.src
    ruby20-2.0.0.648-1.29.amzn1.src

x86_64:
    ruby22-devel-2.2.4-1.8.amzn1.x86_64
    ruby22-libs-2.2.4-1.8.amzn1.x86_64
    rubygem22-io-console-0.4.3-1.8.amzn1.x86_64
    ruby22-debuginfo-2.2.4-1.8.amzn1.x86_64
    rubygem22-psych-2.0.8-1.8.amzn1.x86_64
    rubygem22-bigdecimal-1.2.6-1.8.amzn1.x86_64
    ruby22-2.2.4-1.8.amzn1.x86_64
    rubygem21-bigdecimal-1.2.4-1.19.amzn1.x86_64
    ruby21-2.1.8-1.19.amzn1.x86_64
    rubygem21-psych-2.0.5-1.19.amzn1.x86_64
    ruby21-debuginfo-2.1.8-1.19.amzn1.x86_64
    ruby21-devel-2.1.8-1.19.amzn1.x86_64
    ruby21-libs-2.1.8-1.19.amzn1.x86_64
    rubygem21-io-console-0.4.3-1.19.amzn1.x86_64
    ruby19-devel-1.9.3.551-32.70.amzn1.x86_64
    rubygem19-bigdecimal-1.1.0-32.70.amzn1.x86_64
    ruby19-libs-1.9.3.551-32.70.amzn1.x86_64
    rubygem19-io-console-0.3-32.70.amzn1.x86_64
    ruby19-doc-1.9.3.551-32.70.amzn1.x86_64
    ruby19-debuginfo-1.9.3.551-32.70.amzn1.x86_64
    ruby19-1.9.3.551-32.70.amzn1.x86_64
    rubygem19-json-1.5.5-32.70.amzn1.x86_64
    ruby20-debuginfo-2.0.0.648-1.29.amzn1.x86_64
    rubygem20-bigdecimal-1.2.0-1.29.amzn1.x86_64
    ruby20-2.0.0.648-1.29.amzn1.x86_64
    ruby20-libs-2.0.0.648-1.29.amzn1.x86_64
    rubygem20-psych-2.0.0-1.29.amzn1.x86_64
    ruby20-devel-2.0.0.648-1.29.amzn1.x86_64
    rubygem20-io-console-0.4.2-1.29.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2016-632.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.