The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-0378 advisory.

    - Add Psych.safe_load
      * ruby-2.1.0-there-should-be-only-one-exception.patch
      * ruby-2.1.0-Adding-Psych.safe_load.patch       Related: CVE-2017-0903
    - Disable Tokyo TZ tests broken by recen tzdata update.
      * ruby-2.5.0-Disable-Tokyo-TZ-tests.patch       Related: CVE-2017-0903
    - Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
      * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
          -vulnerability.patch       Resolves: CVE-2017-0903
    - Fix an ANSI escape sequence vulnerability (CVE-2017-0899).
      Resolves: CVE-2017-0899
    - Fix a DOS vulernerability in the query command (CVE-2017-0900).
      Resolves: CVE-2017-0900
    - Fix a vulnerability in the gem installer that allowed a malicious gem         to overwrite arbitrary files (CVE-2017-0901).
      Resolves: CVE-2017-0901
    - Fix a DNS request hijacking vulnerability (CVE-2017-0902).
      * ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch       Resolves: CVE-2017-0902
    - Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).
      * ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch       Resolves: CVE-2017-0898
    - Escape sequence injection vulnerability in the Basic         authentication of WEBrick (CVE-2017-10784).
      * ruby-2.2.8-sanitize-any-type-of-logs.patch       Resolves: CVE-2017-10784
    - Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
      * ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch       Resolves: CVE-2017-14064
    - Command injection vulnerability in Net::FTP (CVE-2017-17405).
      * ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch       Resolves: CVE-2017-17405
    - Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).
      * ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch       Resolves: CVE-2017-14033

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Linux 7 : ruby (ELSA-2018-0378)

critical Nessus Plugin ID 107080

Version 3.5