Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

According to the versions of the ruby packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Ruby 1.8.7 before patchlevel 371, 1.9.3 before     patchlevel 286, and 2.0 before revision r37068 allows     context-dependent attackers to bypass safe-level     restrictions and modify untainted strings via the     name_err_mesg_to_str API function, which marks the     string as tainted, a different vulnerability than     CVE-2011-1005.(CVE-2012-4466)

  - The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel     551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x     before 2.1.5 allows remote attackers to cause a denial     of service (CPU and memory consumption) a crafted XML     document containing an empty string in an entity that     is used in a large number of nested entity references,     aka an XML Entity Expansion (XEE) attack. NOTE: this     vulnerability exists because of an incomplete fix for     CVE-2013-1821 and CVE-2014-8080.(CVE-2014-8090)

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.1,     1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x     before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression.(CVE-2013-4287)

  - The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x     before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote     attackers to cause a denial of service (memory     consumption) via a crafted XML document, aka an XML     Entity Expansion (XEE) attack.(CVE-2014-8080)

  - The OpenSSL::SSL.verify_certificate_identity function     in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374,     1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does     not properly handle a '\\0' character in a domain name     in the Subject Alternative Name field of an X.509     certificate, which allows man-in-the-middle attackers     to spoof arbitrary SSL servers via a crafted     certificate issued by a legitimate Certification     Authority, a related issue to     CVE-2009-2408.(CVE-2013-4073)

  - The rb_get_path_check function in file.c in Ruby 1.9.3     before patchlevel 286 and Ruby 2.0.0 before r37163     allows context-dependent attackers to create files in     unexpected locations or with unexpected names via a NUL     byte in a file path.(CVE-2012-4522)

  - (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3     patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do     not perform taint checking for native functions, which     allows context-dependent attackers to bypass intended     $SAFE level restrictions.(CVE-2013-2065)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete     fix for CVE-2013-4287.(CVE-2013-4363)

  - Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before     r37575 computes hash values without properly     restricting the ability to trigger hash collisions     predictably, which allows context-dependent attackers     to cause a denial of service (CPU consumption) via     crafted input to an application that maintains a hash     table, as demonstrated by a universal multicollision     attack against a variant of the MurmurHash2 algorithm,     a different vulnerability than     CVE-2011-4815.(CVE-2012-5371)

  - Off-by-one error in the encodes function in pack.c in     Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when     using certain format string specifiers, allows     context-dependent attackers to cause a denial of     service (segmentation fault) via vectors that trigger a     stack-based buffer overflow.(CVE-2014-4975)

  - Heap-based buffer overflow in Ruby 1.8, 1.9 before     1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0     preview2, and trunk before revision 43780 allows     context-dependent attackers to cause a denial of     service (segmentation fault) and possibly execute     arbitrary code via a string that is converted to a     floating point value, as demonstrated using (1) the     to_f method or (2) JSON.parse.(CVE-2013-4164)

  - It was found that the methods from the Dir class did     not properly handle strings containing the NULL byte.
    An attacker, able to inject NULL bytes in a path, could     possibly trigger an unspecified behavior of the ruby     script.(CVE-2018-8780)

  - Ruby 1.9.3 before patchlevel 286 and 2.0 before     revision r37068 allows context-dependent attackers to     bypass safe-level restrictions and modify untainted     strings via the (1) exc_to_s or (2) name_err_to_s API     function, which marks the string as tainted, a     different vulnerability than CVE-2012-4466. NOTE: this     issue might exist because of a CVE-2011-1005     regression.(CVE-2012-4464)

  - An issue was discovered in the OpenSSL library in Ruby     before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2,     and 2.6.x before 2.6.0-preview3. When two     OpenSSL::X509::Name objects are compared using ==,     depending on the ordering, non-equal objects may return     true. When the first argument is one character longer     than the second, or the second argument contains a     character that is one less than a character in the same     position of the first argument, the result of == will     be true. This could be leveraged to create an     illegitimate certificate that may be accepted as     legitimate and then used in signing or encryption     operations.(CVE-2018-16395)

  - An issue was discovered in Ruby before 2.3.8, 2.4.x     before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before     2.6.0-preview3. It does not taint strings that result     from unpacking tainted strings with some     formats.(CVE-2018-16396)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2014:0207 advisory.

    RubyGems is the Ruby standard for publishing and managing third-party     libraries.

    It was discovered that the rubygems API validated version strings using an     unsafe regular expression. An application making use of this API to process     a version string from an untrusted source could be vulnerable to a denial     of service attack through CPU exhaustion. (CVE-2013-4287)

    Red Hat would like to thank Rubygems upstream for reporting this issue.
    Upstream acknowledges Damir Sharipov as the original reporter.

    All users of Red Hat OpenShift Enterprise 2.0.2 are advised to upgrade to     this updated package, which contains a backported patch to correct this     issue.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in lib/     rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24     through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before     2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows     remote attackers to cause a denial of service (CPU     consumption) via a crafted gem version that triggers a     large amount of backtracking in a regular expression.
    (CVE-2013-4287)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete fix     for CVE-2013-4287. (CVE-2013-4363)

The remote Solaris system is missing necessary patches to address security updates :

  - Heap-based buffer overflow in Ruby 1.8, 1.9 before     1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0     preview2, and trunk before revision 43780 allows     context-dependent attackers to cause a denial of service     (segmentation fault) and possibly execute arbitrary code     via a string that is converted to a floating point     value, as demonstrated using (1) the to_f method or (2)     JSON.parse. (CVE-2013-4164)

  - Algorithmic complexity vulnerability in     Gem::Version::VERSION_PATTERN in lib/     rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24     through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before     2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows     remote attackers to cause a denial of service (CPU     consumption) via a crafted gem version that triggers a     large amount of backtracking in a regular expression.
    (CVE-2013-4287)

  - Algorithmic complexity vulnerability in     Gem::Version::ANCHORED_VERSION_PATTERN in     lib/rubygems/version.rb in RubyGems before 1.8.23.2,     1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x     before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247,     allows remote attackers to cause a denial of service     (CPU consumption) via a crafted gem version that     triggers a large amount of backtracking in a regular     expression. NOTE: this issue is due to an incomplete fix     for CVE-2013-4287. (CVE-2013-4363)

Updated Grid component packages that fix multiple security issues are now available for Red Hat Enterprise MRG 2.4 for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers.

MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion.

It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125)

It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126)

It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion.
(CVE-2013-4287)

A flaw was found in the way cumin enforced user roles, allowing an unprivileged cumin user to access a range of resources without having the appropriate role. A remote, authenticated attacker could use this flaw to access privileged information, and perform a variety of privileged operations. (CVE-2013-4404)

It was found that multiple forms in the cumin web interface did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who is logged into the cumin web interface, into visiting a specially crafted URL, the attacker could perform actions in the context of the logged in user. (CVE-2013-4405)

It was found that cumin did not properly escape input from the 'Max allowance' field in the 'Set limit' form of the cumin web interface. A remote attacker could use this flaw to perform cross-site scripting (XSS) attacks against victims by tricking them into visiting a specially crafted URL. (CVE-2013-4414)

A flaw was found in the way cumin parsed POST request data. A remote attacker could potentially use this flaw to perform SQL injection attacks on cumin's database. (CVE-2013-4461)

Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287. Upstream acknowledges Damir Sharipov as the original reporter of CVE-2013-4287. The CVE-2013-4404, CVE-2013-4405, CVE-2013-4414, and CVE-2013-4461 issues were discovered by Tomas Novacik of the Red Hat MRG Quality Engineering team.

All users of the Grid capabilities of Red Hat Enterprise MRG are advised to upgrade to these updated packages, which correct these issues.

ruby19 was updated to fix the following security issues :

  - fix CVE-2013-2065: Object taint bypassing in DL and     Fiddle (bnc#843686) The file CVE-2013-2065.patch     contains the patch

  - fix CVE-2013-4287 CVE-2013-4363: ruby19: Algorithmic     complexity vulnerability (bnc#837457) The file     CVE-2013-4287-4363.patch contains the patch

Ruby Gem developers report :

RubyGems validates versions with a regular expression that is vulnerable to denial of service due to backtracking. For specially crafted RubyGems versions attackers can cause denial of service through CPU consumption.

According to its self-reported version number, the Puppet Enterprise install on the remote host is a version prior to 3.1.0.  As a result, it is reportedly affected by multiple vulnerabilities :

  - An error exists related to the Fiddle and DL modules,     '$SAFE' level verification and object handling that     could allow an attacker to modify system calls.
    (CVE-2013-2065)

  - A remote code execution vulnerability exists that is     triggered when handling a YAML report. This could allow     a remote attacker to execute arbitrary code.
    (CVE-2013-4957)

  - A console account brute-force vulnerability exists that     could allow an attacker to brute-force a known user's     password. (CVE-2013-4965)

  - A RubyGems algorithmic complexity denial of service     vulnerability exists that could allow an attacker to     cause a denial of service through CPU consumption.
    (CVE-2013-4287)

From Red Hat Security Advisory 2013:1441 :

An updated rubygems package that fixes three security issues is now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

RubyGems is the Ruby standard for publishing and managing third-party libraries.

It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126)

It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125)

It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion.
(CVE-2013-4287)

Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287. Upstream acknowledges Damir Sharipov as the original reporter.

All rubygems users are advised to upgrade to this updated package, which contains backported patches to correct these issues.

An updated rubygems package that fixes three security issues is now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

RubyGems is the Ruby standard for publishing and managing third-party libraries.

It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126)

It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125)

It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion.
(CVE-2013-4287)

Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287. Upstream acknowledges Damir Sharipov as the original reporter.

All rubygems users are advised to upgrade to this updated package, which contains backported patches to correct these issues.

It was found that RubyGems did not verify SSL connections. This could lead to man-in-the-middle attacks. (CVE-2012-2126)

It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. (CVE-2012-2125)

It was discovered that the rubygems API validated version strings using an unsafe regular expression. An application making use of this API to process a version string from an untrusted source could be vulnerable to a denial of service attack through CPU exhaustion.
(CVE-2013-4287)

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2013:1441 advisory.

    RubyGems is the Ruby standard for publishing and managing third-party     libraries.

    It was found that RubyGems did not verify SSL connections. This could lead     to man-in-the-middle attacks. (CVE-2012-2126)

    It was found that, when using RubyGems, the connection could be redirected     from HTTPS to HTTP. This could lead to a user believing they are installing     a gem via HTTPS, when the connection may have been silently downgraded to     HTTP. (CVE-2012-2125)

    It was discovered that the rubygems API validated version strings using an     unsafe regular expression. An application making use of this API to process     a version string from an untrusted source could be vulnerable to a denial     of service attack through CPU exhaustion. (CVE-2013-4287)

    Red Hat would like to thank Rubygems upstream for reporting CVE-2013-4287.
    Upstream acknowledges Damir Sharipov as the original reporter.

    All rubygems users are advised to upgrade to this updated package, which     contains backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
124931	EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)	Nessus	Huawei Local Security Checks	critical
119345	RHEL 6 : rubygems (RHSA-2014:0207)	Nessus	Red Hat Local Security Checks	high
80760	Oracle Solaris Third-Party Patch Update : rubygems (multiple_cryptographic_issues_vulnerabilities_in1)	Nessus	Solaris Local Security Checks	medium
80757	Oracle Solaris Third-Party Patch Update : ruby (multiple_vulnerabilities_in_ruby1)	Nessus	Solaris Local Security Checks	medium
80756	Oracle Solaris Third-Party Patch Update : ruby (multiple_cryptographic_issues_vulnerabilities_in)	Nessus	Solaris Local Security Checks	medium
76671	RHEL 6 : MRG (RHSA-2013:1852)	Nessus	Red Hat Local Security Checks	high
75178	openSUSE Security Update : ruby19 (openSUSE-SU-2013:1611-1)	Nessus	SuSE Local Security Checks	medium
71070	FreeBSD : ruby-gems -- Algorithmic Complexity Vulnerability (54237182-9635-4a8b-92d7-33bfaeed84cd)	Nessus	FreeBSD Local Security Checks	medium
70684	Puppet Enterprise < 3.1.0 Multiple Vulnerabilities	Nessus	CGI abuses	medium
70524	Oracle Linux 6 : rubygems (ELSA-2013-1441)	Nessus	Oracle Linux Local Security Checks	medium
70501	CentOS 6 : rubygems (CESA-2013:1441)	Nessus	CentOS Local Security Checks	medium
70491	Scientific Linux Security Update : rubygems on SL6.x (noarch) (20131017)	Nessus	Scientific Linux Local Security Checks	medium
70489	RHEL 6 : rubygems (RHSA-2013:1441)	Nessus	Red Hat Local Security Checks	medium
70234	Amazon Linux AMI : rubygems (ALAS-2013-230)	Nessus	Amazon Linux Local Security Checks	medium

Detections

Analytics

CVE-2013-4287

high

Tenable Plugins

critical

high

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium

medium