The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.

The remote Solaris system is missing necessary patches to address security updates :

  - The safe-level feature in Ruby 1.8.6 through 1.8.6-420,     1.8.7 through 1.8.7-330, and 1.8.8dev allows     context-dependent attackers to modify strings via the     Exception#to_s method, as demonstrated by changing an     intended pathname. (CVE-2011-1005)

  - The safe-level feature in Ruby 1.8.7 allows     context-dependent attackers to modify strings via the     NameError#to_s method when operating on Ruby objects.
    NOTE: this issue is due to an incomplete fix for     CVE-2011-1005. (CVE-2012-4481)

  - The OpenSSL::SSL.verify_certificate_identity function in     lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9     before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not     properly handle a '\0' character in a domain name in the     Subject Alternative Name field of an X.509 certificate,     which allows man-in-the-middle attackers to spoof     arbitrary SSL servers via a crafted certificate issued     by a legitimate Certification Authority, a related issue     to CVE-2009-2408. (CVE-2013-4073)

The remote host is affected by the vulnerability described in GLSA-201412-27 (Ruby: Denial of Service)

    Multiple vulnerabilities have been discovered in Ruby. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could possibly execute arbitrary code with       the privileges of the process, cause a Denial of Service condition, or       bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821)

It was found that the RHSA-2011-0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. (CVE-2011-1005)

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0612 advisory.

    -  escaping vulnerability about Exception#to_s / NameError#to_s
      * ruby-1.8.7-p371-CVE-2012-4481.patch
      - Related: rhbz#915379

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-0129 advisory.

    - unintentional file creation caused by inserting an illegal NUL character
      * ruby-1.8.6-CVE-2012-4522-io.c-pipe_open-command-name-should-not-contain-null-.patch
      - Related: rhbz#867750
    -  escaping vulnerability about Exception#to_s / NameError#to_s
      * ruby-1.8.7-p371-CVE-2012-4481.patch
      - Resolves: rhbz#867750
    - unintentional file creation caused by inserting an illegal NUL character
      * ruby-1.8.6-CVE-2012-4522-io.c-rb_open_file-should-check-NUL-in-path.patch
      - Resolves: rhbz#867750

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated ruby packages fix security vulnerabilities :

Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions (CVE-2012-4466, CVE-2012-4481).

It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially crafted XML content, which will result in REXML consuming large amounts of system memory (CVE-2013-1821).

Updated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821)

It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.

All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821)

It was found that the SLSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

It was found that the SLSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

This update also fixes the following bug :

  - Prior to this update, the 'rb_syck_mktime' option could,     under certain circumstances, terminate with a     segmentation fault when installing libraries with     certain gems. This update modifies the underlying code     so that Ruby gems can be installed as expected.

Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
(CVE-2012-4522)

It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)

The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.

This update also fixes the following bug :

* Prior to this update, the 'rb_syck_mktime' option could, under certain circumstances, terminate with a segmentation fault when installing libraries with certain gems. This update modifies the underlying code so that Ruby gems can be installed as expected.
(BZ#834381)

All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:0129 advisory.

  - ruby: Incomplete fix for CVE-2011-1005 for NameError#to_s method when used on objects (CVE-2012-4481)

  - ruby: unintentional file creation caused by inserting an illegal NUL character (CVE-2012-4522)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

USN-1603-1 fixed vulnerabilities in Ruby. This update provides the corresponding updates for Ubuntu 12.10.

Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions.
(CVE-2012-4466, CVE-2012-4481).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions.
(CVE-2012-4466, CVE-2012-4481).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
80755	Oracle Solaris Third-Party Patch Update : ruby (cve_2013_4073_cryptographic_issues)	Nessus	Solaris Local Security Checks	medium
79980	GLSA-201412-27 : Ruby: Denial of Service	Nessus	Gentoo Local Security Checks	high
69732	Amazon Linux AMI : ruby (ALAS-2013-173)	Nessus	Amazon Linux Local Security Checks	medium
68782	Oracle Linux 6 : ruby (ELSA-2013-0612)	Nessus	Oracle Linux Local Security Checks	medium
68700	Oracle Linux 5 : ruby (ELSA-2013-0129)	Nessus	Oracle Linux Local Security Checks	high
66136	Mandriva Linux Security Advisory : ruby (MDVSA-2013:124)	Nessus	Mandriva Local Security Checks	medium
65166	CentOS 6 : ruby (CESA-2013:0612)	Nessus	CentOS Local Security Checks	medium
65094	Scientific Linux Security Update : ruby on SL6.x i386/x86_64 (20130307)	Nessus	Scientific Linux Local Security Checks	medium
65085	RHEL 6 : ruby (RHSA-2013:0612)	Nessus	Red Hat Local Security Checks	medium
63603	Scientific Linux Security Update : ruby on SL5.x i386/x86_64 (20130108)	Nessus	Scientific Linux Local Security Checks	medium
63574	CentOS 5 : ruby (CESA-2013:0129)	Nessus	CentOS Local Security Checks	medium
63410	RHEL 5 : ruby (RHSA-2013:0129)	Nessus	Red Hat Local Security Checks	high
62660	Ubuntu 12.10 : ruby1.8 vulnerabilities (USN-1603-2)	Nessus	Ubuntu Local Security Checks	medium
62497	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : ruby1.8 vulnerabilities (USN-1603-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2012-4481

high

Tenable Plugins

medium

high

medium

medium

high

medium

medium

medium

medium

medium

medium

high

medium

medium