SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Ruby Vendors:   Matsumoto, Yukihiro
Ruby Flaws in RubyGems Let Remote Users Hijack the DNS and Overwrite Files and Let Local Users Deny Service
SecurityTracker Alert ID:  1039249
SecurityTracker URL:  http://securitytracker.com/id/1039249
CVE Reference:   CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902   (Links to External Site)
Date:  Aug 30 2017
Impact:   Denial of service via local system, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.7 and before, 2.3.4 and before, 2.4.1 and before
Description:   Several vulnerabilities were reported in Ruby in the RubyGems component. A local user can cause denial of service conditions on the target system. A remote user can cause files to be overwritten on the target system. A remote user can hijack DNS session.

A local user can supply a specially crafted 'query' command to cause denial of service conditions on the target system [CVE-2017-0900].

A remote user can create a specially crafted RubyGem that, when installed by the target user, will overwrite arbitrary files on the target system [CVE-2017-0901].

A remote user can hijack DNS sessions [CVE-2017-0902].

An ANSI escape vulnerability exists [CVE-2017-0899]. The impact was not specified.

[Editor's note: The vulnerabilities reside in RubyGems, which is bundled with Ruby.]

Jonathan Claudius and Yusuke Endoh reported these vulnerabilities.

Impact:   A local user can cause denial of service conditions on the target system.

A remote user can cause files to be overwritten on the target system in certain cases.

A remote user can hijack DNS sessions.

Solution:   The vendor has issued a patches.

[Editor's note: The Ruby patches include the fixed RubyGems version 2.6.13.]

The vendor advisories are available at:

https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
http://blog.rubygems.org/2017/08/27/2.6.13-released.html

Vendor URL:  www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 5 2017 (Ubuntu Issues Fix) Ruby Flaws in RubyGems Let Remote Users Hijack the DNS and Overwrite Files and Let Local Users Deny Service
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS.
Dec 19 2017 (Red Hat Issues Fix) Ruby Flaws in RubyGems Let Remote Users Hijack the DNS and Overwrite Files and Let Local Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6, 6.7, 7, 7.3, and 7.4.
Feb 1 2018 (Ubuntu Issues Fix) Ruby Flaws in RubyGems Let Remote Users Hijack the DNS and Overwrite Files and Let Local Users Deny Service
Ubuntu has issued a fix for Ubuntu Linux 16.04 LTS and 17.10.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC