SB2018112910 - Red Hat update for ruby

Description

This security bulletin contains information about 15 secuirty vulnerabilities.

1) HTTP response splitting (CVE-ID: CVE-2017-17742)

The vulnerability allows a remote attacker to perform HTTP response splitting attack.

The weakness exists due to improper handling of HTTP requests. If a script accepts an external input and outputs it without modification as a part of HTTP responses, a remote attacker can use newline characters to trick the victim that the HTTP response header is stopped at there and inject fake HTTP responses after the newline characters to show malicious contents to the victim.

2) Path traversal (CVE-ID: CVE-2018-6914)

The vulnerability allows a remote attacker to write arbitrary files on the target system.

The weakness exists in the Dir.mktmpdir method in the tmpdir library due to path traversal. A remote attacker can create a directory or a file at any directory in the prefix argument.

3) Resource exhaustion (CVE-ID: CVE-2018-8777)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists a large request in WEBrick. A remote attacker can send a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause the service to crash.

4) Buffer under-read (CVE-ID: CVE-2018-8778)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the String#unpack method due to buffer under-read. A remote attacker can gain access to potentially sensitive information.

5) Poison null byte (CVE-ID: CVE-2018-8779)

The vulnerability allows a remote attacker to write arbitrary files on the target system.

The weakness exists in the UNIXServer.open and UNIXSocket.open methods due to improper checking of null characters. A remote attacker can accept the socket file in the unintentional path.

6) Path traversal (CVE-ID: CVE-2018-8780)

The vulnerability allows a remote attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Dir.open, Dir.new, Dir.entries and Dir.empty? methods due to improper checking of NULL characters. A remote attacker can trigger the unintentional directory traversal.

7) Security restrictions bypass (CVE-ID: CVE-2018-16395)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists in OpenSSL::X509::Name due to the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). A remote attacker can supply malicious X.509 certificate to be passed and bypass security restrictions to conduct further attacks.

8) Security restrictions bypass (CVE-ID: CVE-2018-16396)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to the tainted flags are not propagated with the B, b, H, and h directives. A remote attacker can supply inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags and cause the check to be wrong to bypass security restrictions and conduct further attacks.

9) Path traversal (CVE-ID: CVE-2018-1000073)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the install_location function of package.rb due to path traversal when writing to a symlinked basedir outside of the root. A remote attacker can gain access to potentially sensitive information.

10) Desereliazation of untrusted data (CVE-ID: CVE-2018-1000074)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in owner command due to desereliazation of untrusted data. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

11) Infinite loop (CVE-ID: CVE-2018-1000075)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in ruby gem package tar header due to infinite loop. A remote attacker can cause the service to crash.

12) Improper verification of cryptographic signature (CVE-ID: CVE-2018-1000076)

The vulnerability allows a remote attacker to write arbitrary files on the target system.

The weakness exists in package.rb due to improper verification of cryptographic signature. A remote attacker can install mis-signed gem, as the tarball would contain multiple gem signatures.

13) Improper input validation (CVE-ID: CVE-2018-1000077)

The vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.

The weakness exists due to improper URL validation of the specification homepage attribute. A remote attacker can trick the victim into installing a malicious RubyGems gem and set an invalid homepage URL.

14) Cross-site scripting (CVE-ID: CVE-2018-1000078)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

15) Path traversal (CVE-ID: CVE-2018-1000079)

The vulnerability allows a remote attacker to modify file locations on the target system.

The weakness exists due to the improper handling of pathnames when the affected software installs new components. A remote attacker can persuade the victim into install a malicious RubyGems gem and use directory traversal techniques to write to arbitrary file locations.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2018:3730