Debian DLA-1796-1 : jruby security update

critical Nessus Plugin ID 125297

Synopsis

The remote Debian host is missing a security update.

Description

Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language.

CVE-2018-1000074

Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file

CVE-2018-1000075

an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop

CVE-2018-1000076

Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.

CVE-2018-1000077

Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL

CVE-2018-1000078

Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server

CVE-2019-8321

Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible

CVE-2019-8322

The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line of gemspec

CVE-2019-8325

Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

For Debian 8 'Jessie', these problems have been fixed in version 1.5.6-9+deb8u1.

We recommend that you upgrade your jruby packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected jruby package.

See Also

https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html

https://packages.debian.org/source/jessie/jruby

Plugin Details

Severity: Critical

ID: 125297

File Name: debian_DLA-1796.nasl

Version: 1.5

Type: local

Agent: unix

Published: 5/21/2019

Updated: 5/21/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1000076

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:jruby, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/20/2019

Vulnerability Publication Date: 3/13/2018

Reference Information

CVE: CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325