ID CVE-2018-16396
Summary An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
References
Vulnerable Configurations
  • Ruby-lang Ruby 2.3.0
    cpe:2.3:a:ruby-lang:ruby:2.3.0
  • Ruby-lang Ruby 2.3.0 Preview 1
    cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1
  • Ruby-lang Ruby 2.3.0 Preview 2
    cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2
  • Ruby-lang Ruby 2.3.1
    cpe:2.3:a:ruby-lang:ruby:2.3.1
  • Ruby-lang Ruby 2.3.2
    cpe:2.3:a:ruby-lang:ruby:2.3.2
  • Ruby-lang Ruby 2.3.3
    cpe:2.3:a:ruby-lang:ruby:2.3.3
  • Ruby-lang Ruby 2.3.4
    cpe:2.3:a:ruby-lang:ruby:2.3.4
  • Ruby-lang Ruby 2.3.5
    cpe:2.3:a:ruby-lang:ruby:2.3.5
  • Ruby-lang Ruby 2.3.6
    cpe:2.3:a:ruby-lang:ruby:2.3.6
  • Ruby-lang Ruby 2.3.7
    cpe:2.3:a:ruby-lang:ruby:2.3.7
  • Ruby-lang Ruby 2.4.0
    cpe:2.3:a:ruby-lang:ruby:2.4.0
  • Ruby-lang Ruby 2.4.0 Preview 1
    cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1
  • Ruby-lang Ruby 2.4.0 Preview 2
    cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2
  • Ruby-lang Ruby 2.4.0 Preview 3
    cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3
  • Ruby-lang Ruby 2.4.0 Release Candidate 1
    cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1
  • Ruby-lang Ruby 2.4.1
    cpe:2.3:a:ruby-lang:ruby:2.4.1
  • Ruby-lang Ruby 2.4.2
    cpe:2.3:a:ruby-lang:ruby:2.4.2
  • Ruby-lang Ruby 2.4.3
    cpe:2.3:a:ruby-lang:ruby:2.4.3
  • Ruby-lang Ruby 2.4.4
    cpe:2.3:a:ruby-lang:ruby:2.4.4
  • Ruby-lang Ruby 2.5.0
    cpe:2.3:a:ruby-lang:ruby:2.5.0
  • Ruby-lang Ruby 2.5.0 Preview 1
    cpe:2.3:a:ruby-lang:ruby:2.5.0:preview1
  • Ruby-lang Ruby 2.5.1
    cpe:2.3:a:ruby-lang:ruby:2.5.1
  • Ruby-lang Ruby 2.6.0 Preview 1
    cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1
  • Ruby-lang Ruby 2.6.0 Preview 2
    cpe:2.3:a:ruby-lang:ruby:2.6.0:preview2
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.10
    cpe:2.3:o:canonical:ubuntu_linux:18.10
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Red Hat Enterprise Linux 6.0
    cpe:2.3:o:redhat:enterprise_linux:6.0
  • Red Hat Enterprise Linux (RHEL) 7.0 (7)
    cpe:2.3:o:redhat:enterprise_linux:7.0
  • Red Hat Enterprise Linux 7.4
    cpe:2.3:o:redhat:enterprise_linux:7.4
  • Red Hat Enterprise Linux 7.5
    cpe:2.3:o:redhat:enterprise_linux:7.5
  • Red Hat Enterprise Linux 7.6
    cpe:2.3:o:redhat:enterprise_linux:7.6
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-254
CAPEC
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4332.NASL
    description Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2018-16395 Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal. - CVE-2018-16396 Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 118721
    published 2018-11-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118721
    title Debian DSA-4332-1 : ruby2.3 - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1113.NASL
    description An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.(CVE-2018-16395) An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.(CVE-2018-16396)
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 119472
    published 2018-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119472
    title Amazon Linux AMI : ruby23 / ruby24 (ALAS-2018-1113)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1558.NASL
    description CVE-2018-16395 Fix for OpenSSL::X509::Name equality check. CVE-2018-16396 Tainted flags are not propagated in Array#pack and String#unpack with some directives. For Debian 8 'Jessie', these problems have been fixed in version 2.1.5-2+deb8u6. We recommend that you upgrade your ruby2.1 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 118471
    published 2018-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118471
    title Debian DLA-1558-1 : ruby2.1 security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_AFC604840652440EB01A5EF814747F06.NASL
    description Ruby news : CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). So, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal. CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives Array#pack method converts the receiver's contents into a string with specified format. If the receiver contains some tainted objects, the returned string also should be tainted. String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with B, b, H and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 118247
    published 2018-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118247
    title FreeBSD : ruby -- multiple vulnerabilities (afc60484-0652-440e-b01a-5ef814747f06)
redhat via4
advisories
  • rhsa
    id RHSA-2018:3729
  • rhsa
    id RHSA-2018:3730
  • rhsa
    id RHSA-2018:3731
refmap via4
confirm
debian DSA-4332
misc https://hackerone.com/reports/385070
mlist [debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update
sectrack 1042106
ubuntu USN-3808-1
Last major update 16-11-2018 - 13:29
Published 16-11-2018 - 13:29
Last modified 22-04-2019 - 13:48
Back to Top